Set up rules for content compliance

Administrators can set up rules to handle messages that contain content that matches one or more expressions.      

For example, you can:

  • Reject outbound messages that might contain sensitive company information, such as when your outbound filter detects the word “confidential.”

  • Set up a metadata match on a range of IP addresses, and quarantine messages from IP addresses that are outside of the range.
  • Route messages with content that matches specific text strings or patterns to your legal department.

Dynamic email: If you use content compliance rules and dynamic email for your organization, learn how compliance rules are applied to dynamic messages.

Compliance rules

Content compliance rules are based on predefined sets of words, phrases, text patterns, or numerical patterns. You can set up a simple match, advanced, and metadata matches.

You can also set up a predefined content matchThis feature is only available with G Suite Enterprise.

Content compliance supports scanning text attachments and common attachment types, such as .doc, .xls, and .pdf, as well as non-ASCII characters. Both simple content and advanced content matches that apply to message body text will also apply to text extracted from attachments. Any rule that applies to the message body text also applies to the extracted text. 

Gmail attempts to convert binary attachments, such as Microsoft Word documents, to text. Any rule that applies to the message body text also applies to the converted text. Learn more about setting up rules for attachment compliance.

Compliance actions

When a message matches a content compliance rule, you can:

  • Reject it
  • Quarantine it
  • Deliver it with modifications

How rules are applied

Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization.. You can also add multiple rules to each organization.

When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, see How multiple settings affect message behavior.

Enhance message security with hosted S/MIME

You can improve message security with S/MIME. For example, set up a rule that requires S/MIME encryption for outgoing messages. Set this rule up with the Encryption option, described in step 4 above.

You can also use S/MIME-related metadata attributes in expressions. Do this by defining a metadata match when you add one or more expressions to specify what's searched.

For an overview, see Enhance message security with hosted S/MIME.

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Set up a content compliance rule

Initial step: Go to Gmail compliance settings in the Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenCompliance.

    Note: You might find this setting at Appsand thenG Suiteand thenGmailand thenAdvanced Settings.

  3. (Optional) On the left, select the organization.

  4. Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another

  5. For each new setting, enter a unique description.

  6. Go to the next step to configure the setting.

Step 1: Enter email messages to affect

You can set up the rule for inbound, outbound, or internal messages. Internal messages are sent and received within the domains and subdomains associated with your organization

  1. Check the boxes next to the messages you want the rule to apply to.

  2. Go to the next step to continue.

Step 2: Add one or more expressions to specify what's searched

You can add up to 10 expressions, but you need to individually add and save them.

  1. From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.

  2. Click Add.

  3. From the list, choose the type of match you want to use for the expression:

    • Simple content match—Enter the content to match. Simple content matching works like the search function in Gmail. For example, if you search for “a word,” any string with “a” and “word” is returned, such as “a new and different word.”

    • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types.

    • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the table below for a description of metadata attributes and match types.

    • Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number (for US). Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger the action if the detector in the message meets a confidence threshold. For details, see Scan your email traffic using data loss preventionThis feature is available with G Suite Business and Enterprise editions. Compare editions

  4. Click Save. You might need to scroll to see the new expression.

  5. Go to the next step to continue.

Advanced content match location

Location Description

Headers and body

The full headers plus the body. Includes attachments (MIME parts decoded).

Full headers

All header fields. Doesn't include the message body or attachments.

Body

The main text portion of the email message. Includes attachments (MIME parts decoded).

Subject

The subject of the message as present in the email header.

Sender header

The sender's email address as reported in the From: header. It can be different than the sender reported in the Envelope sender.

The sender header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

From: Jane Doe <jdoe@example.com>

The sender header is jdoe@example.com.

Note: During message delivery, the left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, jane.doe@gmail.com is converted to janedoe@gmail.com.  Therefore, if you intend to match messages containing either jane.doe@gmail.com, or janedoe@gmail.com in the From: header, you should exclude the dot from your content match pattern. See Dots don't matter in Gmail addresses for more on how dots are handled by Gmail.

Recipients header

The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string. To set up a rule for messages sent to multiple users, use Full headers.

Full headers do not include the email addresses of Bcc: recipients. So, rules based on the number of recipients in the full header might not be applied for all recipients when some recipients are Bcc:.

The recipient header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

To: Jane Doe <jdoe@example.com>
Cc: John Doe <johndoe@example.com>
Bcc: John Smith <jsmith@example.com>

The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.

Envelope sender

The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.

Any envelope recipient

The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string.

Raw message

The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts are not decoded. This is equivalent to RFC-2822 message bytes.

Advanced content match type

Match type Description

Starts with

Searches the selected location for content that starts with the specified character or string.

Ends with

Searches the selected location for content that ends with the specified character or string.

Contains text

Searches the selected location for content that contains the specified string.

Not contains text

Searches the selected location for content that does not contain the specified string.

Equals

Searches the selected location for content that exactly matches the specified string.

Is empty

Searches the selected location for content that is empty.

Matches regex

Searches the selected location for content that matches the specified regular expression. See About regex matching, below.

Not matches regex

Searches the selected location for content that does not match the specified regular expression. See About regex matching, below.

Matches any word

Searches the selected location for content that matches any word in the specified list of words.

Matches all words

Searches the selected location for content that matches all words in the specified list of words.

About regex matching

You use the Matches regex and Not matches regex advanced content match types to set up content compliance rules that use regular expressions.

What is regex?

A regular expression, also called a regex, is a method for matching text with patterns. For example, a regex can describe a pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.

To learn more about regular expressions, see:

Note: Each regex expression in a content compliance rule is limited to 10,000 characters.

Why is the match location important?

It’s important to select the appropriate match location for your use case when formulating your regex. The match location (see table above) specifies which component of the message to scan for matches.

For certain match locations, the content to match is split into pieces before being scanned by the regex. For example:

  • Recipient header: The To:, Cc:, and Bcc: fields of a message header are split into individual email addresses that are compared one at a time against the regex pattern. So if you wanted to detect messages sent to 5 or more users, the Recipient header match location wouldn’t work. Instead, you could select Full headers and enter a regex pattern like this: To: ^[^@](?:@[^@]){5}.
  • Full header: Scanning across multiple message header fields isn’t supported; instead, each header field is compared one at a time against the regex. For example, the To: field is examined as one string and the Cc: field is examined as another string. This means you can't create a single regex expression intended to span the To: and Cc: fields at the same time.

Note: If a single field, such as "Authentication Results," spans multiple lines, the regex can scan across those lines, but the spacing at the beginning of each line is stored as part of that field. You must therefore account for spaces with a wildcard or explicitly in the expression.

What's the minimum match count option?

When you set up a content compliance rule to match a regex, you enter the regex and two optional fields: a description of the regex and a minimum match count.

The minimum match count option specifies the number of times the regex must appear in the match location to trigger the rule’s action. For example, if you enter 2, the regex pattern must appear at least 2 times in the match location to trigger any action on the message.

Metadata attributes and match types

The attribute and available match type combinations include the following:

Attribute Match type Description

Message authentication

  • Message is authenticated
  • Message is not authenticated

Select this option to include messages that are or aren't authenticated in your compliance expression.

Conforms to the DMARC standard. Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.

Source IP

  • Is within the following range

  • Is not within the following range

Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field.

Secure transport (TLS)

  • Connection is TLS encrypted

  • Connection is not TLS encrypted

Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.

S/MIME encryption

  • Message is S/MIME encrypted

  • Message is not S/MIME encrypted

Select this option to include messages that are or aren’t S/MIME encrypted.

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

S/MIME signature

  • Message is S/MIME signed

  • Message is not S/MIME signed

Select this option to include messages that are or aren’t S/MIME signed.

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Message size

  • Is greater than the following (MB)

  • Is less than the following (MB)

Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

Note: This is the raw size of the entire message, which may be up to 33% larger than the native size of the message and attachments due to normal encoding overhead. 

Gmail confidential mode
  • Message is in Gmail confidential mode
  • Message is not in Gmail confidential mode 

 

Select this option to include messages that are or aren't Gmail confidential mode messages.
Spam
  • Malware detected from security sandbox

Select this option to include messages that have been identified by Security Sandbox as having a malware attachment.

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Step 3: Specify what happens if expressions match

  1. Specify whether to modify, reject, or quarantine a message when conditions are met. (Details below.)

  2. Configure the options for the action you choose.

  3. (Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters, below, for details.

  4. Go to Save the configuration.

Reject message

Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied. 

Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.

Quarantine message

Sends the message to an admin quarantine where you can review the message before you send or reject it. This option is only available for the Users account type. For details, see Account types to affect.

To notify your users when their sent messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.

Modify message

Add headers, remove attachments, change the envelope recipient, add more recipients, and change the route. For details, see Options for modifying messages.
 
Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using a Content compliance setting or a Routing setting. Use a Content compliance setting for content-related use cases, and a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing, including use cases and examples.

Controls

Add X-Gm-Original-To header

Add a header tag if the recipient is changed. When you do, the downstream server will know the original envelope recipient. An example of the header tag format is X-Gm-Original-To: user@solarmora.com.

Add X-Gm-Spam and X-GM-Phishy headers

Add headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail. For details, see Add spam headers setting to all default routing rules.

Add custom headers

You can add custom headers to messages that are affected by this setting. For example, you can add a header that matches the description that you entered for the setting. This can help you analyze why a message was routed in a certain way or why a rule was triggered.

Prepend custom subject

You can enter a string to add to the beginning of the subject of applicable messages. For example, you could enter Confidential in this field for sensitive emails. If a message triggers the rule and its subject is Monthly report, recipients will see the following subject: [Confidential] Monthly report.

Change route and Also reroute spam

  • Change route—You can change the destination of the message from the default Gmail server to a different mail server, such as Microsoft® Exchange.

    Note: Before you can change the route, you need to add the new route in the Admin console. For details, see Add mail routes for advanced Gmail delivery.

  • Also reroute spam—This option is available if you select Change route. Blatant spam is dropped instantly at delivery time. However, check the Also reroute spam box to route any additional email you mark as spam.

    Leaving the box unchecked has normal messages rerouted, but not spam. G Suite email settings (for example, a list of preauthorized senders) overrides spam settings.

Change envelope recipient

The message bypasses the original recipient’s mailbox and goes to the new recipient.

You can change the envelope recipient in one of the following ways:

  • Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as user@solarmora.com.
  • Replace the username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
  • Replace the domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.

An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change route control, the specified route determines the destination server.

If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.

Bypass spam filter for this message

Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies to only incoming messages only. You can’t bypass spam filters for outgoing messages.

Note: This option is not available for the Groups account type. For details, see Account types to affect.

Remove attachments from message

You can remove any attachments from messages. You can also append text to notify recipients that attachments were removed.

Add more recipients

  1. To set up dual or multiple delivery, check the Add more recipients boxand thenclick Add .
  2. To add individual email addresses, select Basic from the listand thenclick Save
  3. (Optional) To add more addresses, click Add .
  4. (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.

    You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries.

When you add recipients, consider that:

  • Each rule has a limit of 100 additional recipients.
  • Settings for the primary delivery also apply to the secondary deliveries.
  • For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
  • Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.

Encryption (onward delivery only)

By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.

To require all messages meeting the conditions in the setting to be transmitted through a secure connection, check the Require secure transport (TLS) box. If TLS isn't available on the sending or receiving side, the message won't be sent.

If you have a G Suite Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.

Note: This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Configure additional parameters

To set up additional options for a routing policy, such as creating address lists or choosing the account types it will affect, at the bottom, click Show options.

Address lists

You can specify address lists as a criteria for whether to bypass or apply a given setting. Address lists can contain email addresses, domains, or both.

There are two methods used to determine if the address list is matched. If multiple lists are specified, the address must match at least one of the lists:

  • Correspondent (default) G Suite considers the "from" field for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. (Details below.).
  • Recipient: G Suite always checks to see if the recipients are present in address lists.

The options for whether to bypass or apply a given setting are:

  • Bypass this setting for specific addresses / domains—Skips the setting entirely if the address list matches, regardless of any other criteria specified in the setting.
  • Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the setting is applied. If there are other criteria in the setting, such as match expressions, account types, or envelope filters, those conditions must also match for the setting to be applied.

To use address lists to control application of this setting:

  1. In the Options section, check the Use address lists to bypass or control application of this setting box.
  2. Select one of the options:

    • Bypass this setting for specific addresses / domains
    • Only apply this setting for specific addresses / domains
  3. Click Use existing or create a new one.
  4. Select the name of an existing list, or, to create a new one, enter a custom name for a new list in the Create new list field, and then click Create.
  5. Move the pointer over the list name, and click Edit.

  6. To add email addresses or domains to the list, click Add .

  7. Enter a full email address or domain name, such as solarmora.com. Or, to add a list in bulk, enter a comma or space delimited list of addresses after clicking Add .

    Note: If you want to bypass this setting for approved senders that don't have authentication, uncheck the Require sender authentication box. Use this option with caution as it can potentially lead to spoofing. Learn more about sender authentication.

  8. Click Save.

  9. To include additional email addresses or domains in the list, repeat steps 5 to 7.

  10. When you're done, go to Account types to affect.

Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.

Account types to affect (Required)

Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.

Select one or more account types that the setting applies to: 

  • Users (default)—The setting applies to provisioned G Suite users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
  • Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
  • Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned G Suite users. This selection only applies to received and inbound email.

Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:

  • Add X-Gm-Spam and X-Gm-Phishy headers
  • Bypass spam filter for this message
  • Also reroute spam

When you're finished, go to Add and save the setting.

Envelope filter

You can choose to affect only specific envelope senders and recipients. You can specify a single recipient, a number of users using a regular expression, or email groups.

To set up an envelope filter:

  1. Check one or both of these options:
    • Only affect specific envelope senders
    • Only affect specific envelope recipients
  2. From the list, choose an option:
    • Single email address—Enter the complete email address for a user.
    • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:

      ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$

      For details, go to Guidelines for using regular expressions.

    • Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, first create the group.

When you're finished, go to Save the configuration.

Save the configuration

Final step: Add and save the setting

  1. Click Add setting or Save.

    The new settings appear on the settings page.

  2. At the bottom, click Save.

Define rules to handle confidential mode messages

How confidential mode messages are interpreted

You can specify what action to take on incoming or outgoing Gmail confidential mode messages by creating one or more compliance rules. For example, you can use compliance rules to block incoming messages to your domain. 

How compliance rules trigger on messages 

  • Outgoing messages sent using confidential mode are affected by any content compliance settings or rules you’ve defined for message subject, body, and attachments. 
  • Outgoing messages associated with a compliance rule to remove attachments are rejected, and the sender receives a bounce message. 

  • Incoming messages in confidential mode are checked, but only the message header is scanned. 

How confidential messages are quarantined 

  • Outgoing messages in confidential mode do not go to the Admin quarantine; they are rejected and the sender receives a bounce message.
  • Incoming messages in confidential mode go to the Admin quarantine, but only the message header is scanned. 

Create a compliance rule to block incoming messages

The instructions in this section show you how to create a compliance rule to block incoming messages in confidential mode to your domain. For detailed information about creating compliance rules for all types of content, see Set up rules for content compliance.      

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenCompliance.

    Note: You might find this setting at Appsand thenG Suiteand thenGmailand thenAdvanced Settings.

  3. In the Compliance section, scroll to Content compliance
  4. Hover over the Content compliance setting and click Configure. If you previously set compliance rules for other types of mail, hover over any rule and click Add another.

    The Add setting dialog box appears. Enter a name, select the message type to match, and define what action to take based on the message. 

  5. In the Add setting dialog box:
    • Enter a name for the rule.
    • In the Email messages to affect, check the Inbound box.   
    • From Add expressions, choose If any of the following match the message
    • In Expressions, click Add, and then select Metadata match.
    •  From the Attribute drop-down, choose Gmail confidential mode, and for Match type, choose Message is in Gmail Confidential mode.
    • Click Save.
  6. In the next section, which identifies what to do if the expressions match, choose Reject message.
  7. (Optional) If desired, enter a customized rejection notice, which is directed back to the sender.  
  8. Click Add setting.       

Related information

 Best practices for faster rules testing

Was this helpful?
How can we improve it?