Duet AI is now Gemini for Google Workspace. Learn more

Let your users get S/MIME messages from trusted senders only

Restrict incoming S/MIME messages to authorized addresses & domains

Supported editions for this feature: Enterprise Plus, Education Plus.  Compare your edition

By default, people in your organization can exchange encrypted email messages with any email address that also uses encryption. However, you might want to restrict the addresses or domains that can send encrypted messages to your users. For example, you may want people in your organization to get encrypted messages only from domains or addresses that you trust.

To limit encrypted messages to addresses and domains that you authorize, use the Restrict delivery for S/MIME settings on the Compliance settings page. Your users get encrypted S/MIME messages only from addresses or domains you authorize in the setting. You can choose to either reject or quarantine incoming messages from unauthorized domains or addresses.

Incoming messages only: This setting applies to incoming messages from external senders, and doesn’t affect outgoing or internal messages.

Limit encrypted messages to authorized addresses & domains

To restrict delivery for encrypted messages in your organization, follow the steps below. This setting applies to messages encrypted with hosted S/MIME and with Client-side Encryption (CSE)

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. On the left, select an organizational unit. The new setting applies to everyone in the organizational unit, and you can set up different restrictions for different organizational units.

  4. Scroll to the Restrict delivery for S/MIME setting, then click Configure or Add another rule.

  5. In the Add setting box, take these steps:
    Setting options What to do
    Restrict delivery for S/MIME Enter a descriptive name for the setting. You must enter a name to save your setting.
    Add addresses or domains that you want to allow

    Select one or more existing address lists, or create one or more new address lists.

    Select one or more address lists that contains the addresses or domains that you allow for email messages. Address lists let you apply Gmail settings to specific email addresses or domains. The address list you select for this setting should include the allowed email addresses and domains.

    Important: Gmail checks against the "From:" part of the message header, not the envelope sender (or Return-Path section of the message header). So, the "From:" sender must exactly match an address or domain in the address list.

    For all messages to or from other addresses and domains, take the following action:
    1. Click the menu  and select an action to take on messages from senders that aren't in an address list you selected:
      • Reject: Messages aren’t delivered to the recipient and the sender gets a bounce message.
      • Quarantine: Messages are delivered to Admin quarantine so you can review them. You can release these messages from quarantine and deliver them to the recipient, even if the message isn’t from an address or domain specified in this setting.
    2. (Optional) Enter a custom rejection notice. Incoming messages from an unauthorized domain or address result in a bounce message with this text.
  6. At the bottom of the Add setting box, click Save. Changes can take up to 24 hours but typically happen more quickly. Learn more
    You can track changes in the Admin console audit log.

Related topics

Enable hosted S/MIME for message encryption

Set up client-side encryption for Gmail

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu