Google Apps

Compliance

Attachment compliance setting

The Attachment compliance setting enables you to specify what action to perform for messages with attachments. With this setting, you can specify conditions based on file type, file name, and message size. Each setting can have its own consequences -- or method of processing filtered messages. For example, you can reject messages whose attachments exceed 20 MB, or you can modify a message by re-routing the message, adding a header, or entering a string to prepend to the subject when a message matches the conditions you set. Optionally you can also modify a message by stripping its attachments and adding an advisory notice to the message.

Similar to other email security settings, the Attachment compliance setting applies to all users in an organizational unit. Users within child organizations inherit the settings you create for the parent organization. You also have the option to add multiple Attachment compliance settings to each organizational unit.

To configure Attachment compliance settings for your domain or organizational unit:

  1. Sign in to the Google Admin console

  2. On the Settings tab, select Gmail on the left and click General.

  3. In the Organizations section, highlight your domain or the organizational unit for which you want to configure settings (see Configure email settings for an organizational unit for more details).

  4. Scroll down to the Attachment compliance section:

    • If the setting's status is Not configured yet, click the Configure button near the right edge of the window (the Add setting dialog box opens).
    • If the setting's status is Locally applied or Inherited, click Edit to edit an existing setting (the Edit setting dialog box appears), or click Add another to add a new setting (the Add setting dialog box appears).

  5. When you are finished making changes, click Add setting or Save to close the dialog box.

    Note: Any settings you add will be highlighted on the Email settings page.

  6. Click Save changes at the bottom of the Email settings page.

In the Attachment compliance window, click Add a description if you want to enter a unique name for this setting. See the sections below for additional instructions and guidelines.

1. Email messages to affect

This enables you to set the policy for inbound, outbound, and/or internal mail (sending/receiving within the set of domains associated with your organization). By default, each of the following check boxes is selected. However, if (for example) you want to limit this setting to Outbound mail, you can clear all check boxes except Outbound.

  • Inbound: Messages received by your users from senders outside the set of domains associated with your company or organization
  • Outbound: Messages sent by your users to recipients outside the set of domains associated with your company or organization
  • Internal - sending: Messages sent by your users to recipients within the set of domains associated with your company or organizationn
  • Internal - receiving: Messages received by your users from senders within the set of domains associated with your company or organization

2. Add expressions that describe the content you want to search for in each message

As you configure an Attachment compliance setting, you specify an expression -- or a set of expressions -- in this section.

Follow these steps to add expressions:

  1. Use the drop-down list to choose one of the following two options:

    • If ANY of the following match the message
    • If ALL of the following match the message

    For example, if you select multiple conditions for the setting, and if you select ANY, then any matching condition can trigger the consequences. If you select ALL, then all conditions must match to trigger the consequences.

  2. Click Add to add an expression. (You can add several expressions to one attachment compliance setting.) For each expression:

    • Select File type from the drop-down menu (this is displayed by default), and choose the attachment types that you want to include. This expression will look for a match on attachments of specific types -- for example, Office documents, Video and multimedia, Music and sound, Images, and Executables. For a list of file extensions that are classified in each file type, see File types and file extensions.

      You can also enter Custom file types to look for matches on specific file extensions -- for example, exe, bat, and cmd. Enter one or more file extensions, without a period, and separate your entries by commas. Click Save.

    • Select File name and enter an attachment name that you want to include. This expression will look for a match on any part of an attachment file name; it need not match the entire name. (Case is ignored.) Click Save.

    • Select Message size, and enter the number of megabytes to limit the size of messages (including both the message body and all attachments). Click Save.

3. If the above expressions match, do the following

This section enables you to specify what action to perform on a message when the conditions are met for an Attachment compliance setting. You have two options in the drop-down menu: Reject message or Modify message.

Reject message
If you choose this option, the message is rejected before it reaches the intended recipient. You have the option to enter customized text for the rejection notice.

Modify message
This option enables you to modify messages by adding headers, changing the route, changing the envelope recipient, adding more recipients (additional, or secondary routes), and/or removing attachments.

Note: We recommend that you use routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using an Attachment compliance setting or a Receiving routing setting; but use an Attachment compliance setting for attachment-related use cases, and use a Receiving routing setting for general routing-related use cases, such as dual delivery.

For more details and step-by-step instructions about mail routing, including use cases and examples, see Manage mail routing and delivery: Guidelines and best practices.

See the following descriptions for more details about routing controls.

Add X-Gm-Original-To header

By clicking this check box, a header tag is added in case the recipient is changed so that the downstream server can know the original envelope recipient -- for example, X-Gm-Original-To: jjsmith@solarmora.com.

Adding the X-Gm-Original-To header is useful if you are rerouting a copy of the message to another recipient. In this case, you are changing the recipient address, but the new recipient wants to know the address of the original envelope recipient. They can see the original envelope recipient by checking the X-Gm-Original-To header in the message.

Add X-Gm-Spam header

Messages that are routed through Gmail are automatically filtered for spam. By clicking the Add X-Gm-Spam header check box, you also add a special header tag to indicate the spam status of the message:

  • The number 0 in the header indicates a message is not spam: X-Gm-Spam: 0
  • The number 1 indicates that a message is spam: X-Gm-Spam: 1

By choosing this option, an administrator at a downstream server can set up rules that will handle spam in a different manner than clean mail.

Add custom headers

You can add one or more custom headers to messages that are affected by a Receiving routing, Sending routing, or other setting. For example, you can add a header that matches the description that you entered for the setting. This can be helpful for analyzing why a message was routed in a certain way, or why a filter was triggered.

Prepend custom subject

You can enter a string to prepend to the subject of messages. For example, if you enter the word Confidential in this field, message recipients might see the following subject: [Confidential] Monthly report

Change route

This option enables you to change the destination of the message. By default, the Gmail mail server is the primary delivery. However, you can change the delivery -- for example, by routing mail to an on-premise mail server such as Microsoft Exchange.

Before you can change the primary delivery, you must first add mail routes with the Hosts tab. The routes that you add on the Host tab are then visible in the Select a route drop-down list.

Change envelope recipient

To change the envelope recipient, click the radio button next to the Replace recipient field, and enter the user's email address -- for example, jjsmith@solarmora.com.

Changing the envelope recipient for a message on the primary delivery is equivalent to forwarding a message to a different recipient. You can also change the envelope recipient on the additional (secondary) delivery, which is equivalent to a "bcc".

Add more recipients

Select the Add more recipients check box to set up additional (or secondary) deliveries for dual delivery or multiple delivery.

Choose Basic from the drop-down list to add individual email addresses, and then click Save. You can add multiple recipient addresses by clicking the Add button.

Choose Advanced from the drop-down list to choose advanced options for your secondary delivery. Similar to the settings that you modified for the primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for the secondary deliveries.

Note: Any settings that you configure for the primary delivery will also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries.

Remove attachments

Select this option if you want to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.

For more details and step-by-step instructions about mail routing, including use cases and examples, see Manage mail routing and delivery: Guidelines and best practices.

4. Options

Click the Options check box to allow messages from a specific set of addresses or domains to bypass an Attachment compliance setting. A message from these addresses or domains is delivered even when the message matches the conditions of an Attachment compliance setting (note that other settings may still cause the message to be blocked).

To create a list of addresses or domains that bypass the Attachment compliance setting:

  1. Click the Bypass this setting check box on the Options section.
  2. Click Add or create a new one.
  3. Select the name of an existing list, or enter a custom name for a new list in the Create new list field, and then click Create.
  4. Move your pointer over the list name, and then click Edit.
  5. To add email addresses or domains to the list, click Add.
  6. Enter an email address or the domain name (for example, solarmora.com).

    Note: Click Do not require sender authentication if you want to bypass the Attachment compliance setting for approved senders that do NOT have authentication such as SPF or DKIM enabled. Use this option with caution as it can potentially lead to spoofing.

  7. Click Save, and click Add again if you want to include additional email addresses or domains in the list.
Note: When you are finished, be sure to click Add Setting at the bottom of the dialog box, and then click Save changes at the bottom of the Email settings page to confirm your changes.

Messages with archive attachments

Gmail scans the filenames of files inside archives, including encrypted archives and nested non-encrypted archives. However, the inner archives of an encrypted archive cannot be scanned.

File types and file extensions

You can configure an Attachment compliance setting to look for matches based on specific file types -- for example, Office documents, Video and multimedia, Music and sound, Images, and Executables. You can also enter Custom file types to look for matches based on specific file extensions -- for example, exe, bat, and cmd.

See Add expressions that describe the content you want to search for in each message for step-by-step instructions.

Common file extensions are shown below, including the file types in which they are classified:

Office documents
cpr, cwk, cws, dcx, doc, dot, fax, fp, fp3, frm, gim, gix, gna, gnx, gra, mcw, mdb, mdn, met, mpp, obd, pdf, pps, ppt, pre, prs, rtf, shb, shw, wb1, wb2, wdb, wk1, wk3, wk4, wks, wp, wpw, wp4, wp5, wp6, wpd, wps, wpt, wq1, wq2, wri, ws1, ws2, ws3, ws4, ws5, ws6, ws7, wsd, xls, xlt, docm, docx, dotm, dotx, potm, potx, ppam, ppsm, ppsx, pptm, pptx, xlam, xlsb, xlsm, xlsx, xltm, xltx

Video and multimedia
avi, cfb, cmv, dir, gal, m3d, mmm, mov, mpe, mpeg, mvb, qt, qtm, xtp, xy3, xy4, xyp, xyw, mpg, wmv

Music and sound
aif, aiff, ams, cda, dcr, dsm, idd, it, mdl, med, mid, mp3, mtm, mod, mus, nsa, ra, ram, rm, rmi, rtm, snd, stm, svx, s3m, ult, voc, wav, wow, asf

Images
ai, art, att, bmp, cal, cdr, cdt, cdx, cmf, cmp, dib, drw, emf, eps, fh3, fif, fpx, gem, icb, iff, ima, img, jbf, jff, jif, jtf, kdc, kfx, lbm, mac, mic, pbm, pcd, pcs, pct, pcx, pgm, pic, pif, pnt, ppm, ps, psd, ras, raw, sct, sdr, sdt, sep, shg, tga, tif, tiff, vda, vst, wil, wmf, wpg, wvl, html, jpeg, jpg, gif, png

Compressed and archive file formats
7z, ace, bz, bz2, cab, gz, hex, hqx, lzh, rar, sea, sit, tar, tgz, uue, zip, zoo

Executables
exe, ini, ins, iw, class, js, scr, vbs, com, pif, cpl, fon, asp, bat, cmd, hta, jse, shs, vb, vbe, ws, wsc, wsf, wsh

Related