If you're looking for instructions and guidelines related to legal, security, and compliance concerns, go to Google Workspace legal and compliance.
As an administrator, you can set up rules to handle messages that contain content that matches one or more expressions. This advanced email filtering is called content compliance.
For example, you can:
- Reject outgoing messages that might contain sensitive company information. For example, set up an outbound filter that detects the word confidential in outgoing messages.
- Set up a metadata match on a range of IP addresses, and quarantine messages from IP addresses outside of the range.
- Route messages with content that matches specific text strings or patterns to your legal department.
Dynamic email: If you use content compliance rules and dynamic email for your organization, learn how compliance rules are applied to dynamic messages.
DLP for Gmail: You can create data loss prevention (DLP) rules to control sensitive content shared in Gmail by your users. Use rules to flag sensitive information and keep it from leaving your organization. For details, go to Prevent data leaks in email & attachments.
Compliance rules
Content compliance rules are based on predefined sets of words, phrases, text patterns, or numerical patterns. You can set up a simple match, advanced matches, and metadata matches. You might also be able to set up a predefined content match.
Content compliance supports scanning text attachments and common attachment types, such as .docx, .xlsx, and .pdf, as well as non-ASCII characters. Both simple content and advanced content matches that apply to message body text will also apply to text extracted from attachments. Any rule that applies to the message body text also applies to the extracted text.
Gmail attempts to convert binary attachments, such as Microsoft Word documents, to text. Any rule that applies to the message body text also applies to the converted text. Learn more about setting up rules for attachment compliance.
Compliance actions
When a message matches a content compliance rule, you can specify one of these actions:
- Reject the message
- Quarantine the message
- Deliver the message with modifications
How rules are applied
Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization. You can also add multiple rules to each organization.
When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, read How multiple settings affect message behavior.
Enhance message security with hosted S/MIME
Set up a content compliance rule
Step 1: Go to Gmail Compliance settings in the Google Admin console
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Apps > Google Workspace > Gmail > Compliance.
Requires having the Gmail Settings administrator privilege.
-
(Optional) On the left, select the organization.
-
Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
-
For each new setting, enter a unique description.
-
Go to the next step to configure the setting.
Step 2: Enter email messages to affect
You can set up the rule for inbound, outbound, or internal messages. Internal messages are sent and received within the domains and subdomains associated with your organization.
A domain is internal if it is a verified workspace domain, or a subdomain or parent domain of a verified workspace domain.
-
Check the boxes next to the messages you want the rule to apply to.
-
Go to the next step to continue.
Step 3: Add one or more expressions to specify what's searched
You can add up to 10 expressions. You must add and save each expression separately.
Rules must include at least one expression. Rules without at least one expression have no effect.
Note: You can add, edit, or delete expressions in the Add Setting box. If you don't see Edit or Delete next to an expression, use the scroll bar at the bottom of the table to scroll to the right.
-
From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.
-
Click Add.
-
From the list, choose the type of match you want to use for the expression:
-
Simple content match—Enter the content to match. Simple content matching works like the search function in Gmail. For example, if you search for “a word,” any string with “a” and “word” is returned, such as “a new and different word.”
-
Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types.
-
Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the following table for a description of metadata attributes and match types.
- Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number (for U.S.). Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger the action if the detector in the message meets a confidence threshold.
This feature isn't available with all editions. For details, go to Scan your email traffic using data loss prevention.
-
-
Click Save. You might need to scroll to see the new expression.
-
Go to the next step to continue.
Advanced content match location
| Location | Description |
|---|---|
|
Headers and body |
The full headers plus the body. Includes attachments (MIME parts decoded). |
|
Full headers |
All header fields. Doesn't include the message body or attachments. |
|
Body |
The main text portion of the email message. Includes attachments (MIME parts decoded). |
|
Subject |
The subject of the message as present in the email header. |
|
Sender header |
The sender's email address as reported in the From: header. It can be different than the sender reported in the Envelope sender. The sender header consists of the email address, located within the angle brackets, and does not include the account name. For example, consider: From: Jane Doe <jdoe@example.com> The sender header is jdoe@example.com. Note: For content filtering, Gmail removes dots and plus signs (+) from usernames during message delivery. For example, jane.doe@gmail.com is converted to janedoe@gmail.com. Therefore, if you intend to match messages containing either jane.doe@gmail.com, or janedoe@gmail.com in the From: header, exclude the dot from your content match pattern. For more information on guidelines for email addresses, go to: |
|
Recipients header |
The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string. To set up a rule for messages sent to multiple users, use Full headers. Full headers do not include the email addresses of Bcc: recipients. So, rules based on the number of recipients in the full header might not be applied for all recipients when some recipients are Bcc:. The recipient header consists of the email address, located within the angle brackets, and does not include the account name. For example, consider: To: Jane Doe <jdoe@example.com> The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com. Note: For content filtering, Gmail removes dots and plus signs (+) from usernames during message delivery. For example, jane.doe@gmail.com is converted to janedoe@gmail.com. Therefore, if you intend to match messages containing either jane.doe@gmail.com, or janedoe@gmail.com in the From: header, exclude the dot from your content match pattern. For more information on guidelines for email addresses, go to: |
|
Envelope sender |
The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the Return-path: header. |
|
Any envelope recipient |
The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string. |
|
Raw message |
The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts are not decoded. This is equivalent to RFC-2822 message bytes. |
Advanced content match type
| Match type | Description |
|---|---|
|
Starts with |
Searches the selected location for content that starts with the specified character or string. |
| Ends with |
Searches the selected location for content that ends with the specified character or string. |
|
Contains text |
Searches the selected location for content that contains the specified string. |
|
Not contains text |
Searches the selected location for content that does not contain the specified string. |
|
Equals |
Searches the selected location for content that exactly matches the specified string. |
|
Is empty |
Searches the selected location for content that is empty. |
|
Matches regex |
Searches the selected location for content that matches the specified regular expression. See About regex matching, later on this page. |
|
Not matches regex |
Searches the selected location for content that does not match the specified regular expression. See About regex matching, later on this page. |
|
Matches any word |
Searches the selected location for content that matches any word in the specified list of words. |
|
Matches all words |
Searches the selected location for content that matches all words in the specified list of words. |
About regex matching
You use the Matches regex and Not matches regex advanced content match types to set up content compliance rules that use regular expressions.
What is regex?
A regular expression, also called a regex, is a method for matching text with patterns. For example, a regex can describe a pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.
To learn more about regular expressions, see:
- Guidelines for Using Regular Expressions
- RE2 Syntax for Regular Expressions
- Examples of Regular Expressions
Note: Each regex expression in a content compliance rule is limited to 10,000 characters.
Why is the match location important?
It’s important to select the appropriate match location for your use case when formulating your regex. The match location (see the preceding table) specifies which component of the message to scan for matches.
For certain match locations, the content to match is split into pieces before being scanned by the regex. For example:
- Recipient header: The To:, Cc:, and Bcc: fields of a message header are split into individual email addresses that are compared one at a time against the regex pattern. If you want to detect messages sent to 5 or more users, the Recipient header match location doesn't work.
- Full header: Scanning across multiple message header fields isn’t supported; instead, each header field is compared one at a time against the regex. For example, the To: field is examined as one string and the Cc: field is examined as another string. This means you can't create a single regex expression intended to span the To: and Cc: fields at the same time.
Note: If a single field, such as "Authentication Results," spans multiple lines, the regex can scan across those lines, but the spacing at the beginning of each line is stored as part of that field. You must therefore account for spaces with a wildcard or explicitly in the expression.
What's the minimum match count option?
When you set up a content compliance rule to match a regex, you enter the regex and two optional fields: a description of the regex and a minimum match count.
The minimum match count option specifies the number of times the regex must appear in the match location to trigger the rule’s action. For example, if you enter 2, the regex pattern must appear at least 2 times in the match location to trigger any action on the message.
Metadata attributes and match types
The attribute and available match type combinations include the following:
| Attribute | Match type | Description |
|---|---|---|
|
Message authentication |
|
Select this option to include messages that are or aren't authenticated in your compliance expression. Conforms to the DMARC standard. Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated. |
|
Source IP |
|
Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field. Source IP represents the IP address of the sending mail server and is normally used for SPF authentication. For more information, see How Gmail determines the source IP.
|
|
Secure transport (TLS) |
|
Select this option to include received messages that are or aren't TLS encrypted in your compliance expression. |
|
S/MIME encryption |
|
Select this option to include messages that are or aren’t S/MIME encrypted. This option is available only in editions that support S/MIME. |
|
S/MIME signature |
|
Select this option to include messages that are or aren’t S/MIME signed. This option is available only in editions that support S/MIME.
|
|
Message size |
|
Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field. Note: This is the raw size of the entire message, which may be up to 33% larger than the native size of the message and attachments due to normal encoding overhead. |
| Gmail confidential mode |
|
Select this option to include messages that are or aren't Gmail confidential mode messages. |
| Spam |
|
Select this option to include messages that have been identified by Security Sandbox as having a malware attachment. This option is available only with editions that support Security Sandbox. |
Step 4: Specify what happens if expressions match
-
Specify whether to modify, reject, or quarantine a message when conditions are met. (Details later on this page.)
-
Configure the options for the action you choose.
-
(Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters later on this page for details.
-
Go to Save the configuration.
Reject message
Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied.
Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.
Quarantine message
Sends the message to an admin quarantine where you can review the message before you send or reject it. This option is only available for the Users account type. For details, see Account types to affect.
To notify your users when their sent messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.
Modify message
Controls
Add X-Gm-Original-To header
Add a header tag if the recipient is changed, so the receiving server knows the original envelope recipient. An example of the header tag format is X-Gm-Original-To: user@solarmora.com.
Add X-Gm-Spam and X-GM-Phishy headers
Add headers that indicate message spam and phishing status. Administrators for receiving servers use this information to set up special rules for managing spam and phishing messages. For details, go to Add spam headers setting to all default routing rules.
Add custom headers
Add custom headers to messages affected by this setting. For example, you can add a header that matches the description you entered for the setting. Custom headers can help you troubleshoot routing settings and message delivery.
Prepend custom subject
Add custom text to the beginning of the subject line for specified messages. For example, enter Confidential for sensitive messages. If a message with the subject Monthly report is affected by this setting, the subject line is updated to: [Confidential] Monthly report.
Change route and Also reroute spam
-
Change the route—Change the message destination from the default Gmail server to a different mail server. Before you can change the route, you must add the server by following the steps in Add mail servers for Gmail email routing.
-
Also reroute spam—This option is available when you select Change the route. Blatant spam is dropped at delivery time. The Also reroute spam option routes any additional email you mark as spam. Leave the box unchecked to route normal messages, but not spam. Admin console email settings (for example, a list of preauthorized senders) overrides spam settings.
- Suppress bounces from this recipient—Prevent bounced messages from being rerouted to the configured mail route. For example, you might want to prevent bounced messages from being rerouted to an automated system. Leave this box unchecked if you want the receiving mail system to get bounced messages, for example so senders know when their message isn't delivered.
Change envelope recipient
The message bypasses the original recipient’s mailbox and goes to the new recipient. Change the envelope recipient in one of these ways:
- Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as user@solarmora.com.
- Replace username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
- Replace domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change the route control, the specified route determines the destination server. To Bcc additional recipients, use the Add more recipients option, described later on this page.
Bypass spam filter for this message
Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies only to incoming messages. You can’t bypass spam filters for outgoing messages. Note: This option is not available for the Groups account type. For details, go to Account types to affect.
Remove attachments from message
To remove any attachments from messages, select this option. You can also add text to let recipients know that attachments were removed.
Add more recipients
- To set up dual or multiple delivery, check the Add more recipients box
click Add
.
- To add individual email addresses, select Basic from the list
- (Optional) To add more addresses, click Add
- (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.
You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries. Note: The Do not deliver spam to this recipient advanced option isn't supported for the Groups account type.
When you add recipients, keep in mind:
- Rules have a limit of 100 additional recipients.
- Settings for the primary delivery also apply to the secondary deliveries.
- For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
- Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.
Encryption (onward delivery only)
By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection. Select encryption options for messages affected by the setting:
- Require secure transport (TLS)—Require all messages meeting the conditions in the setting to be sent over a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.
- Encrypt message if not encrypted—Encrypts messages with S/MIME. If you have an Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.
Supported editions for this feature: Frontline Plus; Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
Configure additional parameters
To set up additional options for a routing policy, such as creating address lists or choosing the account types it will affect, at the bottom, click Show options.
An address list is a list of email addresses and domains that you create. Use address lists to apply or bypass settings for the email addresses and domains in the list. Read detailed information about address lists, and how they're used with Gmail settings.
For address list matching, Gmail checks:
- Incoming messages—The sender domain or email address against the address list
- Outgoing messages—The recipient domain or email address against the address list
To use address lists in this setting:
- Click Show options.
- Check the Use address lists to bypass or control application of this setting box.
- (Routing settings only) Select an Apply address list to correspondents option for address list matching:
- Apply address lists to correspondents—Check the "from" field for received mail, and the recipients for sent mail. For senders, the Authentication required option is also checked (see details in Step 8).
- Apply address list to recipients—Check that recipients are in the address lists.
Note: This option isn't available in Gmail content compliance settings.
- Select an option for bypassing or applying this setting:
- Bypass this setting for specific addresses/domains—Bypass the setting entirely if there's an address list match. All other criteria in the setting is ignored.
- Only apply this setting for specific addresses/domains—Use an address list match as a condition for applying the setting. If there are other criteria in the setting, those conditions must also match for the setting to be applied. Examples of other criteria are match expressions, account types, and envelope filters.
- Click an address list option:
- Use existing list—Select the name of an existing address list, then go directly to Step 9.
- Create or edit list—The Add address list box or Manage address list tab opens. Complete Steps 6–9.
- In the Add address list box, enter the name of the new address list.
-
To enter email addresses or domains to the list one at a time, click Add Address. To enter a comma-separated list of addresses or domains, click Bulk Add Addresses.
-
To bypass the setting for approved senders that don't use authentication, turn off the Authentication required option. Be aware that turning off authentication requirements can increase the possibility of getting spam or spoofed messages. Learn more about sender authentication.
-
Click Save.
When you're done, continue to Account types to affect.
Account types to affect (Required)
Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.
Select one or more account types that the setting applies to:
- Users (default)—The setting applies to provisioned users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
- Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
- Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned users. This selection only applies to received and inbound email.
Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:
- Add X-Gm-Spam and X-Gm-Phishy headers
- Bypass spam filter for this message
- Also reroute spam
When you're finished, go to Add and save the setting.
Envelope filter
To affect only specific envelope senders and recipients, set up an envelope filter:
- At the bottom of the Add setting window, click Show options.
- Check one or both of these options:
- Only affect specific envelope senders
- Only affect specific envelope recipients
- From the list, choose an option:
- Single email address—Enter the complete email address for a user.
- Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:
^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$
Learn more about Guidelines for using regular expressions.
- Group membership—Select one or more groups in the list. For envelope senders, this option applies only to sent mail. For envelope recipients, it applies only to received mail. If you haven't, first create the group.
Note: This option affects group members, and members of child groups. For example, if Group B is a member of Group A, this option affects members of Group A and Group B.
When you're finished, go to Save the configuration.
Save the configuration
Final step: Add and save the setting
- Click Add setting or Save.
The new settings appear on the settings page.
- At the bottom, click Save.
Define rules to handle confidential mode messages
How confidential mode messages are interpreted
You can specify what action to take on incoming or outgoing Gmail confidential mode messages by creating one or more compliance rules. For example, you can use compliance rules to block incoming messages to your domain.
How compliance rules trigger on messages
- Outgoing messages sent using confidential mode are affected by any content compliance settings or rules you’ve defined for message subject, body, and attachments.
-
Outgoing messages associated with a compliance rule to remove attachments are rejected, and the sender receives a bounce message.
- Incoming messages in confidential mode are checked, but only the message header is scanned.
How confidential messages are quarantined
- Outgoing messages in confidential mode do not go to the Admin quarantine; they are rejected and the sender receives a bounce message.
- Incoming messages in confidential mode go to the Admin quarantine, but only the message header is scanned.
Create a compliance rule to block incoming messages
The instructions in this section show you how to create a compliance rule to block incoming messages in confidential mode to your domain. For detailed information about creating compliance rules for all types of content, see Set up rules for content compliance.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Requires having the Gmail Settings administrator privilege.
-
In the Compliance section, scroll to Content compliance.
- Hover over the Content compliance setting and click Configure. If you previously set compliance rules for other types of mail, hover over any rule and click Add another.
The Add setting dialog box appears. Enter a name, select the message type to match, and define what action to take based on the message.
- In the Add setting dialog box:
- Enter a name for the rule.
- In the Email messages to affect, check the Inbound box.
- From Add expressions, choose If any of the following match the message.
- In Expressions, click Add, and then select Metadata match.
- From the Attribute drop-down, choose Gmail confidential mode, and for Match type, choose Message is in Gmail Confidential mode.
- Click Save.
- In the next section, which identifies what to do if the expressions match, choose Reject message.
- (Optional) If desired, enter a customized rejection notice, which is directed back to the sender.
- Click Add setting.
Related information
Best practices for faster rules testing
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
