Notification

This feature is unavailable for iOS users until May 2025.

Gmail DLP & automatic classification labels

Use DLP rule to automatically apply classification labels to Gmail messages

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

After you create classification labels your users can manually apply to their messages, you can add data loss prevention (DLP) rules that automatically apply classification labels to messages, or that take action on messages based on their classification labels. Data protection with DLP rules helps you manage sensitive data and how it's shared both inside and outside your organization.

DLP rules let you apply classification labels to messages automatically, based on message content and sensitivity. Labels help people in your organization understand message sensitivity and handle messages accordingly. Labels also help people in your organization understand the different types of information they work with, for example sensitive or confidential content, or content that's specific to certain projects or roles.

Automatic classification labels help prevent sensitive information from being shared in Gmail and third-party (non-Gmail) email apps, both inside your organization and externally.

This page is an overview of data protection rules and automatic classification labels, and describes how people in your organization interact with email messages that have rules and labels.

For detailed steps to set up rules that automatically apply classification labels to email messages, visit Prevent data leaks in email & attachments.

How automatic classification labels help protect your data

When someone in your organization tries to send an email message that contains personally identifiable information (PII) or other sensitive information, a data protection rule can automatically apply a classification label called Confidential to the message. The label indicates to recipients the level of sensitivity associated with the message. Organization policies can then be applied to the message based on the label. When recipients get the message, the label lets them know the message contents are sensitive and should be handled appropriately.

By adding more rules, you can manage what happens to outgoing messages based on their classification labels. For example, you can block messages with the Sensitive label from being sent. Create a rule with a block action that’s applied when someone tries to send a message with the Sensitive label. The sender gets an alert about the sensitive content, with the option to edit the message before trying to send it again.

Data protection rules can also quarantine sensitive messages for review before sending them. The sender gets an alert with the option to quarantine, or edit the message and try sending again. You can also add rules that audit messages only. This is useful for testing rules behavior and impact to users before you start quarantining or blocking messages. 

Learn more about synchronous and asynchronous scanning

Automatic classification labels features and behavior

Rules that automatically apply classification labels to email messages are DLP rules. DLP rule features, behaviors, and limitations are described in Prevent data leaks in email & attachments.

  • Rules let you choose from multiple conditions to specify when to automatically apply classification labels to outgoing messages. 
  • Rules can apply labels to messages from a specific organizational unit or group, or to your entire organization.
  • Rules apply labels when message content matches conditions you specify in the rule. For example, match a single word, a string, or a predefined data type, such as a taxpayer ID or passport number. You can specify where in the message the matching content appears. For example, content can appear anywhere in the message (including attachments), or only in the message headers or subject line. 
  • Rules that apply classification labels have two user permission options for changing labels:
    • Don’t allow modification: Prevents users from changing label values, even when the user has label editing permissions. When a user tries to change a label value that was automatically applied to a message, DLP scans the message on send and notifies the user about required labels and values for the message.
    • Allow: Lets users update label values. Values set by the user take precedence over label values automatically applied by DLP rules. If the user changes the value of an auto-applied label, the DLP rule isn't triggered and the message is sent with the updated label value.

      With either option, users can't completely remove a label. If a user tries to remove a label, the user gets a alert and the label is reapplied.

  • A message can have up to 20 labels, in any combination of user-visible, user-applied labels and automatically applied labels. To view labels, users must have View permission for the label. If a user tries to apply visible labels to a message, they get an alert when the number of visible labels exceeds 20. When the number of manually applied and automatically applied messages exceeds 20, only the 20 top-ranked labels are applied to the message.
  • You can apply multiple labels with a single rule.
  • You can use AND, OR, or NOT operators with conditions. For details, go to DLP for Drive rule nested condition operator examples.
  • With the Gmail mobile app, senders can’t see auto-applied labels for their outgoing messages.
  • With Gmail on the web:
    • When message content that triggered a rule is removed from the message, the auto-applied label is removed with a notification.
    • When labels are automatically applied to a message based on message content, the sender gets a notification with the option to edit the message before sending.

Get started with automatic classification labels

Before you start using classification labels and data protection rules with email, you should:

How rules automatically apply classification labels 

Data protection rules scan messages and apply labels to, and enforce actions on, messages that meet the conditions in the rules.

Sender composes message.

  1. Sender clicks Send and the message leaves the sender’s mailbox.
  2. The message is scanned. If the message has content that meets conditions in a rule with an Apply classification label action, the classification label is applied to the message.
    • After a classification label is applied, the message may trigger a rule that has a Classification label condition. If you haven’t created any additional data protection rules, this step is skipped.
    • The action defined in the rule determines what happens when the user tries to send the message. For details, go to How users interact with automatic classification labels, on this page.

When a user tries to send a message with sensitive content, they may get a bounce message. When this happens, they must compose the message again.

How users work with classification labels

People in your organization may already use one type of Gmail labels to organize their email. Classification labels have a different purpose and your users interact with them differently. What your users see depends on whether you’ve added data protection rules to manage outdoing messages that have classification labels applied.

When a user sends a new email message, DLP scans the message. If the message triggers a data protection rule that applies classification labels, one or more labels are applied to the message after the message is sent and leaves the sender’s mailbox. The sender can’t see classification labels while composing a message or in the copy of sent messages stored in their Sent mailbox. After a label is automatically applied to a message, and visible to recipients, the user interacts with the message in the same way as with messages with manually applied labels.

People who get new messages or message replies that have classification labels can see the labels that are applied to the message. Senders who get replies to their outgoing messages with labels may see some or all of the original labels in message replies.

For detailed information about working with classification labels, visit the Gmail help center.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.

Related topics

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
8411620417566556528
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false