Prevent data leaks in email & attachments

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

These Gmail classification labels features are temporarily unavailable for the Gmail app on Android and iOS mobile devices, and will be available in May 2025: 

  • Synchronous auto-applied classification labels 
  • Synchronous enforcement based on label conditions
You can create data loss prevention (DLP) rules in your Google Admin console to manage sensitive content that your users share in email messages. With DLP for Gmail, rules apply to messages sent to people inside and outside of your organization. Use rules to identify sensitive information and help prevent it from being shared inside and outside your organization.
 
 

On this page

DLP for Gmail features

With DLP Gmail, admins can:

  • Create data protection rules for Gmail or for other Google Workspace apps that use DLP, including Gmail, Google Chat, and Google Drive.
  • Implement different actions for rule violations. For example, you can block email message delivery and send the user a notification (Block message), warn users about sensitive information detected in the message, but allow them to send it anyway (Warn users), quarantine a message for review by an admin before it’s sent or returned (Quarantine message), or send the message and log the DLP event for future audit to assess the impact of new rules (Audit only).
  • Define conditions using text strings and predefined and custom detectors, such as keywords and regular expressions.
  • Add rules that automatically add classification labels to new messages based on conditions you specify. For example, apply a classification label Confidential when messages contain sensitive, financial, or personally identifiable information.  
  • Detect when confidential mode is enabled for a message, and use confidential mode status as a condition to let people send messages with sensitive content.
  • Enforce rules for specific organizational units or groups, or for your entire organization.
  • Alert admins about rule violations in the Alert Center so they can investigate.
  • Scan image text in all message attachments with optical character recognition (OCR).

How does DLP for Gmail work?

When a user sends an email message, DLP scans the message for sensitive content. If a message or attachment violates a rule, the action defined in the rule applies to the message.

Summary of the flow:

  1. Add DLP rules that define sensitive content and the action to take on messages with sensitive content.
  2. When a user sends an email message, DLP scans the content for rule matching. 
  3. If a rule is matched, DLP applies the action defined in the rule.
  4. All events are logged in Rule log events for review. Learn more about rule log events

About synchronous & asynchronous scanning

With DLP for Gmail, data protection rules can be scanned synchronously or asynchronously: 

  • Synchronous scanning–Data protection rules are scanned when the user clicks the Send button. Users are notified of sensitive content before the message leaves their mailbox. Gmail on the web and the Gmail mobile app perform synchronous scanning.
  • Asynchronous scanning–Data protection rules are scanned after the message leaves the sender’s mailbox. Users get a message that the message is blocked or quarantined before it's delivered to the recipient. Asynchronous scanning occurs when a user sends a message with a third-party email app, and when synchronous scanning is unsuccessful.

Outcomes of synchronous & asynchronous scanning

Synchronous scanning: Gmail on the web or mobile

When a rule with the Block message action is activated: 

  • An alert appears, indicating that the message can’t be sent in its current state. You can add a custom message in the rule for this alert.
  • The alert has a Back to editing option, so the user can return to editing the message and update or remove the sensitive content.
  • When the user resends the message after editing, the message is scanned again and checked against all applicable rules.

When a rule with the Warn users action is activated:

  • An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
  • The alert has a Back to editing option so the user can return to editing the message and update or remove the sensitive content.
  • The alert has a Send anyway option that lets the user send the message in its current state.

When a rule with the Quarantine message action is activated:

  • An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
  • The box has a Back to editing option, so the user can optionally return to editing the message and update or remove the sensitive content.
  • The box has a Submit for review button, so the user can send the message for review by an admin or other authorized user. After reviewing the message, the admin can approve the message for delivery to the recipient, or block it from being sent.

When a rule with the Audit only action is activated:

  • The user doesn’t see an alert and the message is delivered normally to recipients.
  • The message event is recorded in audit logs. Learn more about rule log events

Note: Messages that are scanned synchronously might be scanned one more time asynchronously, as an added security measure. This can result in the message being blocked, even when no dialog box was presented during the synchronous scanning.

Asynchronous scanning: Gmail with SMTP and third-party email app

When a rule with the Block message action is activated: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this alert.

When a rule with the Warn users action is activated: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after sending, indicating the message was blocked. You can add a custom message in the rule for this alert.
  • For messages sent using third-party email apps connected to Gmail with SMTP,  rules with a Warn users action behave as rules with a Block message action.

When a rule with the Quarantine message action is activated: 

  • The sender sees the message in their Sent mailbox.
  • If the message wasn’t sent, the sender might get an alert indicating the message was quarantined. You can add a custom message in the rule for this alert.

When a rule with the Audit only action is activated:  

  • The sender doesn’t get a notification and the message is delivered normally to the recipient.

Asynchronous scanning: Gmail on the web or mobile

When you use Gmail on the web or in a mobile app, messages are scanned asynchronously one more time as an extra security measure

When a rule with the Block message action is activated: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this alert.

When a rule with the Warn users action is activated, the message is sent:

  • The sender can see the message in their Sent mailbox.
  • The message event is recorded in Rule Log Events.

When a rule with the Quarantine message action is activated: 

  • The sender can see the message in their Sent mailbox.
  • They might get a notification later if message sending was prevented by the reviewer.

When a rule with the Audit only action is activated:  

  • The sender doesn’t get any notification and the message is delivered normally to the recipient.

Messages created automatically by other Google products

Gmail sends automated notifications and messages created by other Google and Google Workspace services, including Calendar, Docs, and Drive. For example, when someone creates an event in Google Calendar and invites guests, a Gmail message with the event details is created and send to event participants. The message is scanned on the server side. If message content meets conditions in any rules, the rule action is applied.

When a rule with the Block message action is activated:

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this notification.

When a rule with the Warn users action is activated:

  • The message is sent normally.
  • The sender can see the message in their Sent mailbox.
  • The message event is recorded in Rule Log Events.

When a rule with the Quarantine message action is activated: 

  • The sender might get a notification later if message sending was prevented by the reviewer.

When a rule with the Audit only action is activated:  

  • The message is sent normally.
  • The sender doesn't get any notifications.

What's scanned?

Only outgoing messages are scanned. The Content type to scan selected in the rule determine what part of the message is scanned:

  • All content—Message subject, To, From, Bcc, Cc, and body are scanned synchronously. Attachments are scanned asynchronously. Attachments include files and images. Attachment filenames are also scanned. Go to supported file types on this page.

    Important: The All content option scans only 5 header types: Subject, To, From, Bcc, and Cc. These headers are immediately available for synchronous scanning.To scan all message headers, we recommend using one of these options:

    • Add a condition with the OR operator to scan Email headers
    • Create a separate rule specifically to scan Email headers
  • Email headers—Content in all email headers. Message headers are scanned asynchronously because some message headers aren't are available for synchronous scanning.
  • Body—Message body is scanned synchronously and attachments are scanned asynchronously. 
  • Subject—Subject is scanned synchronously.
  • Classification label—Classification labels that have been manually applied by a user or automatically applied with a DLP rule. A rule can't have both Classification label as a condition and Apply classification labels as an action.
  • Confidential modes status—Whether the message has confidential mode enabled. We recommend using this condition with other rule conditions. For example, if the message body contains a tax ID and the message doesn’t use confidential mode, the message is blocked from being sent. Learn more about confidential mode

Supported attachment file types

Data protection rules scan these attachment types:

  • Document file types—TXT, DOC, DOCX, RTF, HTML, XHTML, XML, PDF, PPT, PPTX, ODP, ODS, ODT, XLS, XLSX, PS, CSS, CSV, JSON, SH
  • Image file types (when OCR is turned on)—EPS, BMP, GIF, JPEG, PNG, and images inside PDF files
  • Compressed file types—BZIP, RAR, TAR, ZIP
  • Custom file types—HWP, KML, KMZ, SDC, SDD, SDW, SXC, SXI, SXW, WML, XPS

How does DLP interact with other email rules?

Data protection rules are evaluated before content compliance rules and routing rules.

If data protection rules don't block or quarantine a message, the message is then evaluated by content compliance and routing rules. If a content compliance or routing rule applies an action that creates another copy of the message (for example, adds a new recipient), DLP scans the new copies of the message before sending them.
For details on content compliance rules, visit Set up rules for advanced email content filtering.

Known limitations

  • Data protection rules with an Apply classification label action and with Classification label as a condition are applied asynchronously on mobile devices:
    • Warn actions are ignored for messages sent from the Gmail app on mobile devices.
    • The sender isn’t notified about classification labels applied to a message, and doesn’t see the label applied to the message in their Sent mailbox. For messages sent using the Gmail web client, these rules are applied synchronously.
  • Attachments are scanned asynchronously only.
  • Group alias email addresses are treated as internal recipients. If the group has external members, rules intended for external messages aren’t applied.
  • Rules don’t apply to Groups. If a message is sent on behalf of a Group, rules aren't applied.

For message scanning limits, go to DLP for Gmail content limits.

Create a data protection rule for Gmail

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Rules.

    Requires having the View and Manage DLP rule privileges.

  3. Enter a name for the rule and, optionally, a description.
  4. For Scope, choose an option:
    • To apply the rule to your whole organization, select All in domain.name.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.
  5. Click Continue.
  6. (Optional) To verify OCR is turned on, click Check and check the Gmail box to turn OCR on for Gmail.
  7. Under Gmail, check the Message sent box.
  8. Click Continue.
  9. To add a condition, click Add Condition and select the part of the message that is scanned:

    Important: If you create a DLP rule with no condition, the rule scans all parts of the message and applies the specified action to every Gmail message.

    • All content—Scans message header, subject, body, and attachments.
    • Body—Scans message body and attachments.
    • Email headers—Scans message header and subject. If the message is sent with Google Workspace Client-side encryption (CSE), only the content of the email headers (including subject) can be scanned.
    • Subject—Scans message subject only.
    • Classification labels—Scans classification labels applied to messages.
    • Confidential mode status—Scans whether confidential mode is turned on for messages.
  10. Choose What to scan for, then fill out the required attributes for that type of scan. For detailed information about this field, visit the What to scan for section on this page. 
  11. Click Continue
  12. Click Action and choose an option:

    All actions are logged in Rule log events.

    • Block message—Don’t send the message right away, and display an alert to the sender about potentially sensitive information in the message. The sender has the option to edit the message and try sending again.
    • Warn users—Don't send the message right away, and display an alert to the sender. The sender has the option to send the message as is, or edit the message and try sending again.
    • Quarantine message—Don't send the message right away and display an alert to the sender. The sender has the option to send the message as is, or send the message for review by an admin or other qualified person. You must select an option from the  Quarantine condition menu.
    • Audit only—The message is sent normally. No alert is displayed. The message is scanned against rules, and logged as the event that an admin can review later.
    • Apply classification label—Apply a classification label to messages that match the conditions. You must select an option from the Label field and Field options menus.
  13. For Select when this action should apply, choose whether the action should be applied to internal messages, external messages, or both. 
  14. (Optional) To create a custom alert, check the Customize message box and enter your alert text. Alerts can be up to 300 characters long (including characters in URLs) and can include URLs. If you don’t create a custom message, the box displays the default message.
  15. (Optional) In the Alerting menu, choose a severity level for reported message events: Low, Medium, or High. The severity level is logged in the Rule log events and can be used to investigate incidents.
  16. (Optional) To choose send an alert about about message events (a message activated by this rule), check the Send to alert center box. You also send an alert notification to super admins with the All super administrators option. Enter other alert notification to other recipients .
  17. Click Continue and review the rule details. 
  18. Choose a status for the rule:
    • Active—The rule runs immediately.
    • Inactive—The rule is added but doesn't run immediately. This gives you time to review the rule and share it with others before implementing. To activate the rule later, in the Admin console, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, change the status to Active, and click Confirm
  19. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

About What to scan for options & attributes

The What to scan for options vary according to the content type you chose to scan. For Gmail rule conditions, you can scan for:

  • Matches predefined data type (recommended)
  • Contains text string
  • Contains word
  • Matches regular expression
  • Matches words from word list
  • Is a classification label
  • Is enabled or disabled (Confidential mode status only)

You can use AND, OR, or NOT operators with conditions. For details on using these operators with conditions, go to DLP for Drive rule nested condition operator examples.

What to scan for Attributes
Matches predefined data type

Data type—Select a predefined data type. Get more information on predefined data types.

Likelihood Threshold—Select a likelihood threshold. Available thresholds are:

  • Very low
  • Low
  • Medium
  • High
  • Very high

These thresholds reflect the DLP system's confidence in the match result. In general, the Very high threshold will match less content and will be more precise. The Very low threshold is a wider net expected to match more files but with lower precision.

Minimum unique matches—Enter the minimum number of times a match result must uniquely occur in a document to trigger the action.

Minimum match count—Enter the minimum number of times any matched results must appear in a document to trigger the action.

How do Minimum match count and Minimum unique matches work? For example, think of two lists of Social Security Numbers: the first list has 50 copies of the exact same number, and the second list has 50 unique numbers.

In this case, if the Minimum match count value equals 10, results will trigger on both lists since there are at least 10 matches in both.

Or, if the Minimum unique matches value equals 10, and the Minimum match count value equals 1, results will trigger only on the second list, since there are 10 matches and they're all matching unique values.
Contains text string Enter contents to match—Enter a substring, number, or other characters to search on. Specify if the content is case sensitive. In the case of a substring, the rule can contain the word key, and if the document contains the word key, there is a match.
Contains word Enter contents to match—Enter the word, number, or other characters to search on.
Matches regular expression

Regular expression name—A regular expression custom detector.

Minimum times the pattern detected—Enter the minimum number of times the pattern expressed by the regular expression must appear in a document to trigger the action.
Matches words from word list

Word list name—Select a custom word list.

Match mode—Select either Match any word or Match minimum number of unique words.

Minimum total times any word detected—Enter the minimum number of times a word must be detected to trigger the action.

Minimum unique words detected—Enter the minimum number of unique words that must be detected to trigger the action (available only for the Match minimum number of unique words option).

Investigate DLP rule events with the SIT

Run a search for Rule log events

The following example runs a search to investigate Gmail messages that activated a DLP rule. You can use other conditions in your search, or no conditions at all.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Security center > Investigation tool.

    Requires having the Security center administrator privilege.

  3. Click Data source and select Rule log events.
  4. Click Add Conditionand thenAttributeand thenRule type.
  5. Choose DLP.
  6. Click Search.
    From the search results at the bottom of the page, you can view a list of events, with details about each event.

    Note: Sensitive content snippets aren't supported for Gmail DLP. As a result, the Has sensitive content column shows False even if a message contains sensitive content that has activated a DLP rule.

  7. Scroll to the Resource ID column and click Menuto pivot from Gmail log events > Message ID.
  8. Click Search to open a new search page where Gmail log events is the data source.
  9. To view additional details, click Message ID for any line in the search results. A side panel displays additional details about your investigation.
  10. If prompted, enter the business need for viewing Gmail content and click Confirm.

Export DLP violations using BigQuery

You can export DLP violations logged in Rule log events to custom tables for further investigation. For details, go to Set up service log exports to BigQuery.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.

Related topics

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
6451528814988490608
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false