Clear search
Close search
Google apps
Main menu

Google Apps is now G Suite. Same service, new name. More about the name change.

Set up policies for content compliance

You can set up policies to handle messages that contain content that match one or more rules.

For example, you can route messages with specific content to your legal department. You do this by defining a new primary delivery—or by creating additional deliveries—that match specific text strings or patterns. For example, you can set up a content match on a word, such as "confidential," and then change the primary delivery to a server that supports encryption.

Compliance rules

Content compliance rules are based on predefined sets of words, phrases, text patterns, or numerical patterns. You can set up a simple match, advanced, and metadata matches. If you have G Suite Business, you can also set up a predefined content match.

Content compliance supports scanning text attachments and common attachment types, such as .doc, .xls, and .pdf, as well as non-ASCII characters. Both simple and advanced content matches that include BODY will include the extracted text from the attachments.

Compliance actions

When a message matches a content compliance policy, you can:

  • Reject it
  • Send it to the admin quarantine.
  • Deliver it with modifications

For example, you can add a header to a message that indicates its spam and phishing status if it has content that matches a spam detection policy.

How settings are applied

Every setting applies to all users in an organizational unit. Users in child organizations inherit the settings you create for the parent organization. You can also add multiple attachment compliance settings to each organization.

Set up a compliance policy

Initial step: Go to Gmail advanced settings in the Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console dashboard, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. Scroll to the Content compliance section:

    • If the setting is Not configured yet, hover over the setting and click Configure.

    • If the setting is Locally applied or Inherited, hover over the setting and click Edit or Add another to edit or add one.

  4. For a new setting, enter a unique name.

Go to the next step to configure the setting.

Step 1: Enter email messages to affect

You can set up the policy for inbound, outbound, or internal messages. Internal messages are sent and received within the domains associated with your organization

  1. Check the boxes next to the messages you want the policy to apply to.

  2. Go to the next step to continue.

Step 2: Add expressions to specify what's searched

You can add as many expressions as you want, but you need to individually add and save them.

  1. From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.

    Note: If an expression has multiple words in it, the message must contain the exact list of words to trigger the action or actions. For example, if you set up an expression with the words football betting pool, the word football doesn't result in a match. Only the complete string of words, football betting pool, result in a match.

  2. Click Add.

  3. From the list, choose the type of match you want to use for the expression:

    • Simple content match—Enter the content to match. Simple content matching functions like the search function in Gmail. For example, if you search for “a word,” any string with “a” and “word” is returned, such as “a new and different word.”

    • Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number. Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger the action if the detector in the message meets a confidence threshold. For details, see Use predefined content detectors for data-loss prevention.

      Note: The Predefined content match feature is available only with G Suite Business.

    • Advanced content match—Select the Location of the text within the message and the Match type, enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types.

    • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the table below for a description of metadata attributes and match types.

  4. Click Save. You might need to scroll to see it.

  5. Go to the next step to continue.

Advanced content match location

Location Description

Headers and body

The full headers plus the body.

Full headers

All of the headers present for the message except the envelope information present during SMTP communication.


The main text portion of the email message.


The subject of the message as present in the email header.

Sender header

The sender's email address as reported in the headers in the email. It can be different than the sender reported in the Envelope sender.

Recipients header

The recipient or recipients as reported in the email headers, To, Cc, and Bcc.

Envelope sender

The original sender that was reported during the SMTP communication request. It can be different than the sender reported in the Sender header.

Any envelope recipient

Any and all envelope recipients for the message. This can include individuals added as part of a group expansion.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string.

Raw message

The full headers plus the body, including all attachments and other MIME parts of the message.

Advanced content match type

Match Type Description

Starts with

Searches the selected location for content that starts with the specified character or string.

Ends with

Searches the selected location for content that ends with the specified character or string.

Contains text

Searches the selected location for content that contains the specified text.

Not contains text

Searches the selected location for content that does not contain the specified text.


Searches the selected location for content that exactly matches the specified text.

Is empty

Searches the selected location for content that is empty.

Matches regex

Searches the selected location for content that matches the specified regular expression. See About regex matching below.

Not matches regex

Searches the selected location for content that does not match the specified regular expression. See About regex matching, below.

Matches any word

Searches the selected location for content that matches any word in the specified list of words.

Matches all words

Searches the selected location for content that matches all words in the specified list of words.

About regex matching

The Matches regex and Not matches regex match types let you set up content compliance settings using regular expressions.

A regular expression, also called a regex, is a method for matching text with patterns. For example, a regex can describe the pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.

You enter the regex, and optionally a description of the regex and minimum number of matches. Set the number of times the regex must appear in a message to trigger the action you define. For example, if you select 2, the regex pattern must appear at least 2 times in a message to trigger any action on the message. Duplicate appearances of the same regex don’t trigger the action.

Each regex is limited to 10,000 characters, and doesn't support scanning across multiple message header fields. For example, you can't create a regex that examines both a Date field and a From field in the same expression.

If a single field, such as "Authentication Results," spans multiple lines, the regex can scan across those lines, but the spacing at the beginning of each line is stored as part of that field. You must therefore account for spaces with a wildcard or explicitly in the expression.

To learn more about regular expressions, see:

Metadata attributes and match types

The attribute and available match type combinations include the following:

Attribute Available Match Types Description

Message authentication

Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.

Note: Neutral is considered fail.

Select this option to include messages that are or aren't authenticated in your compliance expression.

Source IP

  • Is within the following range

  • Is not within the following range

Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field.

Secure transport (TLS)

  • Connection is TLS encrypted

  • Connection is not TLS encrypted

Select this option to include messages that are or aren't TLS-encrypted in your compliance expression. Applies to received messages only.

Message size

  • Is greater than the following (MB)

  • Is less than the following (MB)

Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

Step 3: Specify what happens if expressions match

  1. Specify whether to modify, reject, or quarantine a message when conditions are met. (Details below.)

  2. Configure the options for the action you choose.

  3. Go to Configure additional options to continue.

Reject message

This option rejects the message before it reaches the intended recipient. You can enter customized text for the rejection notice.

Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is required by the email SMTP standard, so you can’t delete it.

Quarantine message

This option sends the message to an admin quarantine, where you can review the message before deciding whether to send it to its intended recipient or reject it.

Modify message

You can modify messages by adding headers, changing the route, changing the envelope recipient, adding more recipients (additional or secondary routes), and removing attachments.

Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using an Content compliance setting or a Receiving routing setting. Use a Content compliance setting for attachment-related use cases, and a Receiving routing setting for general routing-related use cases, such as dual delivery.

Learn about managing mail routing and delivery, use cases, and examples.


Add X-Gm-Original-To header

Select this option to add a header tag if the recipient is changed. That way, the downstream server will know the original envelope recipient. An example of the header tag is X-Gm-Original-To:

Headers are useful if you're rerouting a copy of the message to another recipient. In this case, you're changing the recipient address, but the new recipient can still see the address of the original envelope recipient. They can see the original envelope recipient by checking the X-Gm-Original-To header in the message.

Add X-Gm-Spam header and X-GM-Phishy header

Gmail messages are automatically filtered for spam and phishing. Select the Add X-Gm-Spam header and X-Gm-Phishy header option to add these headers to indicate the spam and phishing status of the message. If you select this option, an administrator at a downstream server can set up rules that handle spam and phishing differently from clean mail.

  • X-Gm-Spam: 0 indicates the message isn't spam.
  • X-Gm-Spam: 1 indicates the message is spam.
  • X-Gm-Phishy: 0 indicates the message is not phishing.
  • X-Gm-Phishy: 1 indicates the message is phishing.

Any message marked phishy is automatically marked spam as well.

If you add X-Gm-Spam and X-Gm-Phishy headers to your messages, consider where the message is being routed to next. A rerouted message is often no longer classified as spam when it reaches its destination because elements of the message, such as the sending IP address, have changed.

If your messages are:

  • Rerouted to your downstream server, set up rules on that server to read these headers and prevent messages with X-Gm-Spam: 1 or X-Gm-Phishy: 1 tags from being delivered to users’ inboxes.
  • Rerouted back to Google, create an Inbound gateway setting to mark tagged messages as spam, or a Content compliance setting to send them to the admin quarantine for review.

Add custom headers

You can add one or more custom headers to messages that are affected by an Attachment compliance setting. For example, you can add a header that matches the description that you entered for the setting. This could help you analyze why a message was routed in a certain way or why a filter was triggered.

Prepend custom subject

You can enter a string to prepend to the subject of messages. For example, you could enter Confidential in this field for sensitive emails, such as [Confidential] Monthly report.

Change route and Reroute spam

  • Change route—Changes the destination of the message. By default, the Gmail server is the primary delivery location. However, you can change it to route messages to a different mail server, such as Microsoft® Exchange.

    Note: Before you can change the route, you need to add the route using the Hosts tab. After it's added, it'll appear in the Change route list.
  • Reroute spam—Appears if you select Change route. Reroute spam lets you route all email that matches the criteria of the setting, including messages marked as spam. Spam messages are stored in the Gmail for 30 days.

    If you check the Change route box but do not check the Reroute spam box, then normal messages are rerouted, but spam messages aren't.


  • Whether or not you select Reroute spam, blatant spam is not rerouted because it’s dropped instantly at delivery time.
  • If a message is classified as spam but one of the Gmail settings overrides it (for example, due to a sender whitelist), then the message isn't considered to be spam for this purpose and it's routed as a normal message.

Change envelope recipient

You can change the envelope recipient in one of the following ways:

  • To replace the recipient’s entire email address, after Replace recipient, enter the full email address, such as

  • To replace just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.

  • To replace just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the the domain, such as

Changing the envelope recipient for a message on the primary delivery is equivalent to forwarding a message to a different recipient. You can also change the envelope recipient on the additional (secondary) delivery, which is equivalent to a Bcc.

Bypass spam filter for this message

Select this option to deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies to incoming messages only—you can’t bypass spam filters for outgoing messages.

If you select this option, in some cases, "super spammy" messages might still be marked spam and delivered to the recipient's Spam folder.

Remove attachments from message

Select this option to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.

Add more recipients

  1. Check the Add more recipients box to set up dual delivery or multiple delivery.
  2. Select Basic from the list to add individual email addresses and then click Save. Click Add to add more addresses.
  3. Select Advanced from the list to choose advanced options for your secondary delivery. Similar to the settings for primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries.


  • Any settings that you configure for the primary delivery also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries.
  • For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default. Suppress bounces from this recipient prevents bounces from going back to the original sender.

Require secure transport for onward delivery

Select this option to include secure delivery as part of content compliance for outbound messages.

Step 4: Configure additional options

Click Show options to configure additional options for the setting.

Approved address lists

Select Bypass this setting to allow messages received from addresses or domains within these lists (for inbound/received mail) or for messages sent to addresses or domains within these lists (for outbound/sent mail) to bypass attachment compliance.

Messages from these addresses or domains are delivered even if they match the conditions of the setting. Other settings can still cause the message to be blocked.

To create a list of addresses or domains that bypass the Content compliance setting:

  1. In the Options section, select Bypass this setting.

  2. Click Use existing or create a new one.

  3. Select the name of an existing list, or enter a custom name for a new list in the Create new list field, and then click CREATE.

  4. Hover over the list name, and click Edit.

  5. To add email addresses or domains to the list, click Add.

  6. Enter a full email address or domain name, such as

    Note: Select Do not require sender authentication to bypass the Attachment compliance setting for approved senders that do not have authentication, such as SPF or DKIM, enabled. Use this option with caution, because it can potentially lead to spoofing.

  7. Click Save and then Add again to include additional email addresses or domains in the list.

  8. When you're done, go to Account types to affect.

Account types to affect (Required)

To save the Attachment compliance setting, you must select at least one account type option, Users, Groups, or Unrecognized / Catch-all. The option specifies the account type that the setting applies to.

If you’re configuring the top-level organization, all 3 of these options are available. If you’re configuring any of the sub-level organizations, Users is the only option available.

By default, Users is selected, because it's the traditional use case. You can select more than one. For example, you can configure an inbound setting that only applies to the Groups account type, and the group must be the recipient. If you’re configuring an outbound setting, the account type must match the sender.

When you're done:

  1. (Optional) Specify an envelope filter.

  2. Go to Save the configuration.

Envelope filter

You can choose to affect only specific envelope senders and recipients. You can specify single recipients by entering an email address for that user. You can also specify groups.

To set up an Envelope filter, select the Only affect specific envelope senders option, the Only affect specific envelope recipients option, or both, and choose one of the following options from the list:

  • Single recipient—Specify a single user by entering an email address, such as
  • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to 3 specific users by entering the list of users using the following regular expression syntax:


    Learn about using regular expressions.

  • Group membership—Select one or more groups in the list. If you haven’t, you’ll need to create groups first.

When you're finished, go to Save the configuration.

Save the configuration

Final step: Add and save the setting

  1. Click Add setting or Save. Any new settings are added to the Gmail Advanced settings page.

  2. At the bottom, click Save.

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.