Set up rules for advanced email content filtering

If you're looking for instructions and guidelines related to legal, security, and compliance concerns, go to Google Workspace legal and compliance.

As an administrator, you can set up rules to handle messages that contain content that matches one or more expressions. This advanced email filtering is called content compliance.

For example, you can:

  • Reject outgoing messages that might contain sensitive company information. For example, set up an outbound filter that detects the word confidential in outgoing messages.
  • Set up a metadata match on a range of IP addresses, and quarantine messages from IP addresses outside of the range.
  • Route messages with content that matches specific text strings or patterns to your legal department.

Dynamic email: If you use content compliance rules and dynamic email for your organization, learn how compliance rules are applied to dynamic messages.

DLP for Gmail (beta): You can create data loss prevention (DLP) rules to control sensitive content shared in Gmail by your users. Use rules to flag sensitive information and keep it from leaving your organization. For details, go to Prevent data leaks in email & attachments (beta).

Compliance rules

Content compliance rules are based on predefined sets of words, phrases, text patterns, or numerical patterns. You can set up a simple match, advanced matches, and metadata matches. You might also be able to set up a predefined content match

Content compliance supports scanning text attachments and common attachment types, such as .docx, .xlsx, and .pdf, as well as non-ASCII characters. Both simple content and advanced content matches that apply to message body text will also apply to text extracted from attachments. Any rule that applies to the message body text also applies to the extracted text. 

Gmail attempts to convert binary attachments, such as Microsoft Word documents, to text. Any rule that applies to the message body text also applies to the converted text. Learn more about setting up rules for attachment compliance.

Compliance actions

When a message matches a content compliance rule, you can specify one of these actions:

  • Reject the message
  • Quarantine the message
  • Deliver the message with modifications

How rules are applied

Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization. You can also add multiple rules to each organization.

When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, read How multiple settings affect message behavior.

Enhance message security with hosted S/MIME

Depending on your edition, you can enchance message security with S/MIME. For example, add a rule that requires S/MIME encryption for outgoing messages. You can also use S/MIME-related metadata attributes in expressions. Do this by defining a metadata match when you add one or more expressions to specify what's searched. For an overview, see Enhance message security with hosted S/MIME.

Set up a content compliance rule

Step 1: Go to Gmail Compliance settings in the Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. (Optional) On the left, select the organization.

  4. Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

  5. For each new setting, enter a unique description.

  6. Go to the next step to configure the setting.

Step 2: Enter email messages to affect

You can set up the rule for inbound, outbound, or internal messages. Internal messages are sent and received within the domains and subdomains associated with your organization. 

A domain is internal if it is a verified workspace domain, or a subdomain or parent domain of a verified workspace domain.

  1. Check the boxes next to the messages you want the rule to apply to.

  2. Go to the next step to continue.

Step 3: Add one or more expressions to specify what's searched

You can add up to 10 expressions. You must add and save each expression separately. 

Rules must include at least one expression. Rules without at least one expression have no effect.

Note: You can add, edit, or delete expressions in the Add Setting box. If you don't see Edit or Delete next to an expression, use the scroll bar at the bottom of the table to scroll to the right.

  1. From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.

  2. Click Add.

  3. From the list, choose the type of match you want to use for the expression:

    • Simple content match—Enter the content to match. Simple content matching works like the search function in Gmail. For example, if you search for “a word,” any string with “a” and “word” is returned, such as “a new and different word.”

    • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types.

    • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the following table for a description of metadata attributes and match types.

    • Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number (for U.S.). Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger the action if the detector in the message meets a confidence threshold.

      This feature isn't available with all editions. For details, go to Scan your email traffic using data loss prevention.

  4. Click Save. You might need to scroll to see the new expression.

  5. Go to the next step to continue.

Advanced content match location

Location Description

Headers and body

The full headers plus the body. Includes attachments (MIME parts decoded).

Full headers

All header fields. Doesn't include the message body or attachments.

Body

The main text portion of the email message. Includes attachments (MIME parts decoded).

Subject

The subject of the message as present in the email header.

Sender header

The sender's email address as reported in the From: header. It can be different than the sender reported in the Envelope sender.

The sender header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

From: Jane Doe <jdoe@example.com>

The sender header is jdoe@example.com.

Note: For content filtering, Gmail removes dots and plus signs (+) from usernames during message delivery. For example, jane.doe@gmail.com is converted to janedoe@gmail.com. Therefore, if you intend to match messages containing either jane.doe@gmail.com, or janedoe@gmail.com in the From: header, exclude the dot from your content match pattern. For more information on guidelines for email addresses, go to: 

Recipients header

The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string. To set up a rule for messages sent to multiple users, use Full headers.

Full headers do not include the email addresses of Bcc: recipients. So, rules based on the number of recipients in the full header might not be applied for all recipients when some recipients are Bcc:.

The recipient header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

To: Jane Doe <jdoe@example.com>
Cc: John Doe <johndoe@example.com>
Bcc: John Smith <jsmith@example.com>

The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.

Note: For content filtering, Gmail removes dots and plus signs (+) from usernames during message delivery. For example, jane.doe@gmail.com is converted to janedoe@gmail.com. Therefore, if you intend to match messages containing either jane.doe@gmail.com, or janedoe@gmail.com in the From: header, exclude the dot from your content match pattern. For more information on guidelines for email addresses, go to: 

Envelope sender

The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the Return-path: header.

Any envelope recipient

The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string.

Raw message

The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts are not decoded. This is equivalent to RFC-2822 message bytes.

Advanced content match type

Match type Description

Starts with

Searches the selected location for content that starts with the specified character or string.

Ends with

Searches the selected location for content that ends with the specified character or string.

Contains text

Searches the selected location for content that contains the specified string.

Not contains text

Searches the selected location for content that does not contain the specified string.

Equals

Searches the selected location for content that exactly matches the specified string.

Is empty

Searches the selected location for content that is empty.

Matches regex

Searches the selected location for content that matches the specified regular expression. See About regex matching, later on this page.

Not matches regex

Searches the selected location for content that does not match the specified regular expression. See About regex matching, later on this page.

Matches any word

Searches the selected location for content that matches any word in the specified list of words.

Matches all words

Searches the selected location for content that matches all words in the specified list of words.

About regex matching

You use the Matches regex and Not matches regex advanced content match types to set up content compliance rules that use regular expressions.

What is regex?

A regular expression, also called a regex, is a method for matching text with patterns. For example, a regex can describe a pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.

To learn more about regular expressions, see:

Note: Each regex expression in a content compliance rule is limited to 10,000 characters.

Why is the match location important?

It’s important to select the appropriate match location for your use case when formulating your regex. The match location (see the preceding table) specifies which component of the message to scan for matches.

For certain match locations, the content to match is split into pieces before being scanned by the regex. For example:

  • Recipient header: The To:, Cc:, and Bcc: fields of a message header are split into individual email addresses that are compared one at a time against the regex pattern. If you want to detect messages sent to 5 or more users, the Recipient header match location doesn't work.
  • Full header: Scanning across multiple message header fields isn’t supported; instead, each header field is compared one at a time against the regex. For example, the To: field is examined as one string and the Cc: field is examined as another string. This means you can't create a single regex expression intended to span the To: and Cc: fields at the same time.

Note: If a single field, such as "Authentication Results," spans multiple lines, the regex can scan across those lines, but the spacing at the beginning of each line is stored as part of that field. You must therefore account for spaces with a wildcard or explicitly in the expression.

What's the minimum match count option?

When you set up a content compliance rule to match a regex, you enter the regex and two optional fields: a description of the regex and a minimum match count.

The minimum match count option specifies the number of times the regex must appear in the match location to trigger the rule’s action. For example, if you enter 2, the regex pattern must appear at least 2 times in the match location to trigger any action on the message.

Metadata attributes and match types

The attribute and available match type combinations include the following:

Attribute Match type Description

Message authentication

  • Message is authenticated
  • Message is not authenticated

Select this option to include messages that are or aren't authenticated in your compliance expression.

Conforms to the DMARC standard. Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.

Source IP

  • Is within the following range

  • Is not within the following range

Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field.

Source IP represents the IP address of the sending mail server and is normally used for SPF authentication. For more information, see How Gmail determines the source IP.

 

Secure transport (TLS)

  • Connection is TLS encrypted

  • Connection is not TLS encrypted

Select this option to include received messages that are or aren't TLS encrypted in your compliance expression.

S/MIME encryption

  • Message is S/MIME encrypted

  • Message is not S/MIME encrypted

Select this option to include messages that are or aren’t S/MIME encrypted.

This option is available only in editions that support S/MIME.

S/MIME signature

  • Message is S/MIME signed

  • Message is not S/MIME signed

Select this option to include messages that are or aren’t S/MIME signed.

This option is available only in editions that support S/MIME.

Message size

  • Is greater than the following (MB)

  • Is less than the following (MB)

Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

Note: This is the raw size of the entire message, which may be up to 33% larger than the native size of the message and attachments due to normal encoding overhead. 

Gmail confidential mode
  • Message is in Gmail confidential mode
  • Message is not in Gmail confidential mode 

 

Select this option to include messages that are or aren't Gmail confidential mode messages.
Spam
  • Malware detected from security sandbox

Select this option to include messages that have been identified by Security Sandbox as having a malware attachment.

This option is available only with editions that support Security Sandbox.

Step 4: Specify what happens if expressions match

  1. Specify whether to modify, reject, or quarantine a message when conditions are met. (Details later on this page.)

  2. Configure the options for the action you choose.

  3. (Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters later on this page for details.

  4. Go to Save the configuration.

Reject message

Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied. 

Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.

Quarantine message

Sends the message to an admin quarantine where you can review the message before you send or reject it. This option is only available for the Users account type. For details, see Account types to affect.

To notify your users when their sent messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.

Modify message

Add headers, remove attachments, change the envelope recipient, add more recipients, and change the route. For details, read Options for modifying messages.
 
Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using a Content compliance setting or a Routing setting. Use a Content compliance setting for content-related use cases, and a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing, including use cases and examples.

Controls

Add X-Gm-Original-To header

Add a header tag if the recipient is changed, so the receiving server knows the original envelope recipient. An example of the header tag format is X-Gm-Original-To: user@solarmora.com.

Add X-Gm-Spam and X-GM-Phishy headers

Add headers that indicate message spam and phishing status. Administrators for receiving servers use this information to set up special rules for managing spam and phishing messages. For details, go to Add spam headers setting to all default routing rules.

Add custom headers

Add custom headers to messages affected by this setting. For example, you can add a header that matches the description you entered for the setting. Custom headers can help you troubleshoot routing settings and message delivery.

Prepend custom subject

Add custom text to the beginning of the subject line for specified messages. For example, enter Confidential for sensitive messages. If a message with the subject Monthly report is affected by this setting, the subject line is updated to: [Confidential] Monthly report.

Change route and Also reroute spam

  • Change the route—Change the message destination from the default Gmail server to a different mail server. Before you can change the route, you must add the server by following the steps in Add mail servers for Gmail email routing.

  • Also reroute spam—This option is available when you select Change the route. Blatant spam is dropped at delivery time. The Also reroute spam option routes any additional email you mark as spam. Leave the box unchecked to route normal messages, but not spam. Admin console email settings (for example, a list of preauthorized senders) overrides spam settings.

  • Suppress bounces from this recipient—Prevent bounced messages from being rerouted to the configured mail route. For example, you might want to prevent bounced messages from being rerouted to an automated system. Leave this box unchecked if you want the receiving mail system to get bounced messages, for example so senders know when their message isn't delivered.

Change envelope recipient

The message bypasses the original recipient’s mailbox and goes to the new recipient. Change the envelope recipient in one of these ways:

  • Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as user@solarmora.com.
  • Replace username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
  • Replace domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.

An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change the route control, the specified route determines the destination server. To Bcc additional recipients, use the Add more recipients option, described later on this page.

Bypass spam filter for this message

Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies only to incoming messages. You can’t bypass spam filters for outgoing messages. Note: This option is not available for the Groups account type. For details, go to Account types to affect.

Remove attachments from message

To remove any attachments from messages, select this option. You can also add text to let recipients know that attachments were removed.

Add more recipients

  1. To set up dual or multiple delivery, check the Add more recipients boxand thenclick Add .
  2. To add individual email addresses, select Basic from the listand thenclick Save
  3. (Optional) To add more addresses, click Add .
  4. (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.

    You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries. Note: The Do not deliver spam to this recipient advanced option isn't supported for the Groups account type.

When you add recipients, keep in mind:

  • Rules have a limit of 100 additional recipients.
  • Settings for the primary delivery also apply to the secondary deliveries.
  • For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
  • Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.

Encryption (onward delivery only)

By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection. Select encryption options for messages affected by the setting:

  • Require secure transport (TLS)—Require all messages meeting the conditions in the setting to be sent over a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.
  • Encrypt message if not encrypted—Encrypts messages with S/MIME. If you have an Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.

Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

 

Configure additional parameters

To set up additional options for a routing policy, such as creating address lists or choosing the account types it will affect, at the bottom, click Show options.

Address lists

An address list is a list of email addresses and domains that you create. Use address lists to apply or bypass settings for the email addresses and domains in the list. Read detailed information about address lists, and how they're used with Gmail settings.

For address list matching, Gmail checks:

  • Incoming messages—The sender domain or email address against the address list
  • Outgoing messages—The recipient domain or email address against the address list

To use address lists in this setting:

  1. Click Show options.
  2. Check the Use address lists to bypass or control application of this setting box.
  3. (Routing settings only) Select an Apply address list to correspondents option for address list matching:
    • Apply address lists to correspondents—Check the "from" field for received mail, and the recipients for sent mail. For senders, the Authentication required option is also checked (see details in Step 8).
    • Apply address list to recipients—Check that recipients are in the address lists.

    Note: This option isn't available in Gmail content compliance settings.

  4. Select an option for bypassing or applying this setting:
    • Bypass this setting for specific addresses/domains—Bypass the setting entirely if there's an address list match. All other criteria in the setting is ignored.
    • Only apply this setting for specific addresses/domains—Use an address list match as a condition for applying the setting. If there are other criteria in the setting, those conditions must also match for the setting to be applied. Examples of other criteria are match expressions, account types, and envelope filters.
  5. Click an address list option:
    • Use existing list—Select the name of an existing address list, then go directly to Step 9. 
    • Create or edit list—The Add address list box or Manage address list tab opens. Complete Steps 6–9.
  6. In the Add address list box, enter the name of the new address list.
  7. To enter email addresses or domains to the list one at a time, click Add Address. To enter a comma-separated list of addresses or domains, click Bulk Add Addresses.

  8. To bypass the setting for approved senders that don't use authentication, turn off the Authentication required option. Be aware that turning off authentication requirements can increase the possibility of getting spam or spoofed messages. Learn more about sender authentication.

  9. Click Save.

When you're done, continue to Account types to affect.

Account types to affect (Required)

Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.

Select one or more account types that the setting applies to: 

  • Users (default)—The setting applies to provisioned users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
  • Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
  • Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned users. This selection only applies to received and inbound email.

Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:

  • Add X-Gm-Spam and X-Gm-Phishy headers
  • Bypass spam filter for this message
  • Also reroute spam

When you're finished, go to Add and save the setting.

Envelope filter

To affect only specific envelope senders and recipients, set up an envelope filter:

  1. At the bottom of the Add setting window, click Show options.
  2. Check one or both of these options:
    • Only affect specific envelope senders
    • Only affect specific envelope recipients
  3. From the list, choose an option:
    • Single email address—Enter the complete email address for a user.
    • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:

      ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$

      Learn more about Guidelines for using regular expressions.

    • Group membership—Select one or more groups in the list. For envelope senders, this option applies only to sent mail. For envelope recipients, it applies only to received mail. If you haven't, first create the group.

      Note: This option affects group members, and members of child groups. For example, if Group B is a member of Group A, this option affects members of Group A and Group B.

When you're finished, go to Save the configuration.

Save the configuration

Final step: Add and save the setting

  1. Click Add setting or Save.

    The new settings appear on the settings page.

  2. At the bottom, click Save.

Define rules to handle confidential mode messages

How confidential mode messages are interpreted

You can specify what action to take on incoming or outgoing Gmail confidential mode messages by creating one or more compliance rules. For example, you can use compliance rules to block incoming messages to your domain. 

How compliance rules trigger on messages 

  • Outgoing messages sent using confidential mode are affected by any content compliance settings or rules you’ve defined for message subject, body, and attachments. 
  • Outgoing messages associated with a compliance rule to remove attachments are rejected, and the sender receives a bounce message. 

  • Incoming messages in confidential mode are checked, but only the message header is scanned. 

How confidential messages are quarantined 

  • Outgoing messages in confidential mode do not go to the Admin quarantine; they are rejected and the sender receives a bounce message.
  • Incoming messages in confidential mode go to the Admin quarantine, but only the message header is scanned. 

Create a compliance rule to block incoming messages

The instructions in this section show you how to create a compliance rule to block incoming messages in confidential mode to your domain. For detailed information about creating compliance rules for all types of content, see Set up rules for content compliance.      

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. In the Compliance section, scroll to Content compliance
  4. Hover over the Content compliance setting and click Configure. If you previously set compliance rules for other types of mail, hover over any rule and click Add another.

    The Add setting dialog box appears. Enter a name, select the message type to match, and define what action to take based on the message. 

  5. In the Add setting dialog box:
    • Enter a name for the rule.
    • In the Email messages to affect, check the Inbound box.   
    • From Add expressions, choose If any of the following match the message
    • In Expressions, click Add, and then select Metadata match.
    •  From the Attribute drop-down, choose Gmail confidential mode, and for Match type, choose Message is in Gmail Confidential mode.
    • Click Save.
  6. In the next section, which identifies what to do if the expressions match, choose Reject message.
  7. (Optional) If desired, enter a customized rejection notice, which is directed back to the sender.  
  8. Click Add setting.       

Related information

 Best practices for faster rules testing

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
15546681223098307628
true
Search Help Center
true
true
true
true
true
73010
false
false