In this talk we summarize the main (hard) lessons learned while defending Gmail users against a plethora of threats that include network attacks, spam, phishing, malware, and web based attacks. After summarizing Gmail defenses overall architecture, we delve into the detail of our spam and phishing detection systems and how we leverage email authentication technologies. Next we discuss the challenge of building malware scanners at scale and how to deal with malicious documents not detected by traditional AV. We then discuss how we secure the network communication and what are the limitations of current STARTTLS implementation. Finally we showcase the techniques and tools that we found effective to harden our web front end against web attacks and malicious content. We illustrate each of those components with key statistics and examples of attacks that we had to curb.