Content compliance setting
The Content compliance setting enables you to specify what action to perform for messages based on predefined sets of words, phrases, text patterns, or numerical patterns. The content compliance setting scans messages for content that matches one or more rules that you configure within the setting. You can choose whether these messages are rejected or delivered with modifications; for example, to notify others when the content of a message matches the rules that you set.
Similar to other email security settings, the Content compliance setting applies to all users in an organizational unit. Users within child organizations inherit the settings you create for the parent organization. You also have the option to add multiple Content compliance settings to each organizational unit.
Changes to the Content compliance setting might require up to one hour to take effect. You can track prior changes with the Admin console audit log.
- While most advanced Gmail settings only apply to users, the Default routing setting can also be applied to mailing lists.
- The Content compliance setting supports the scanning of text attachments and common attachment types such as .doc, .xls, and .pdf. (Both simple matches and advanced content matches that include BODY will include the extracted text from the attachments. See the instructions below for more details on setting up content matches.)
- Content compliance supports non-ASCII characters.
To configure Content compliance settings for your domain or organizational unit:
- Sign in to the Google Admin console.
- From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
- In the Organizations section, highlight your domain or the organizational unit for which you want to configure settings.
- Scroll down to the Content compliance section:
- If the setting's status is Not configured yet, click Configure (the "Add setting" dialog box displays).
- If the setting's status is Locally applied, click Edit to edit an existing setting (the "Edit setting" dialog box displays), or click Add another to add a new setting (the "Add setting" dialog box displays).
- If the setting’s status is Inherited, click View to view the inherited setting, or click Add another to add a new setting (the "Add setting" dialog box displays).
- In the Content compliance window, enter a unique name for this setting.
- See the sections below for additional instructions and guidelines. When you're finished making changes, click Add setting or Save to close the dialog box.
Note: Any settings you add will be highlighted on the advanced settings page.
- Click Save changes at the bottom of the advanced settings page.
- Inbound—Messages received by your users from senders outside the set of domains associated with your company or organization
- Outbound—Messages sent by your users to recipients outside the set of domains associated with your company or organization
- Internal - sending—Messages sent by your users to recipients within the set of domains associated with your company or organization
- Internal - receiving—Messages received by your users from senders within the set of domains associated with your company or organization
- Use the drop-down list to choose one of the following two options:
- If ANY of the following match the message—One or more expressions will result in a match and trigger the actions; therefore, if you set up multiple expressions, any matching expression results in a match.
- If ALL of the following match the message—All expressions must match to trigger the actions.
Note: If you set up an expression with multiple words in it, the actions are triggered only if the message contains the exact list of words. For example, if you set up an expression with the words, football betting pool, the word football does not result in a match. Only the complete string of words, football betting pool, result in a match.
- Click Add to add an expression. (You can add several expressions to one content compliance policy.)
- If you select Simple content match, type the content to match, and then click Save. Note: Simple content matching in the Content compliance setting functions like the search function in Gmail.
- If you select Predefined content match, select one of the predefined content detectors—for example, Credit Card Number or Social Security Number. For details, see Use predefined content detectors for data-loss prevention.
- If you select Advanced content match, select the Location of the text within the message and the Match type, enter the content to search, and then click Save. (See the table below for a description of each Location within the message.)
Location Description Headers and body The full headers plus the body Full headers All of the headers present for the message except the envelope information present during SMTP communication Body The main text portion of the email message Subject The subject of the email as present in the email header Sender header The sender as reported in the headers in the email (as opposed to the Envelope sender) Recipients header The recipient(s) as reported in the email headers, To, Cc and Bcc Envelope sender The original sender that was reported during the SMTP communication request and that may be different than the sender reported in the Sender header Any envelope recipient Any and all envelope recipients for the message. This may include individuals added as part of a group expansion.
This compares only one recipient at a time. If there are two or more recipients, the advanced content rule does not match against all of the recipients in one string.
Raw message The full headers plus the body, including all attachments and other MIME parts of the message
- If you select Metadata match, select the attribute to match and the Match type. If needed, enter the Match value. Click Save. The available attribute/match type combinations include the following:
Attribute Available Match Types Description Message authentication
Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.
Note: Neutral is considered fail.
Select this option to include messages that are (or aren't) authenticated in your compliance expression. Source IP
- is within the following range
- is not within the following range
Select this option to include messages that do (or don't) fall within the specified IP range in your compliance expression. Enter the range in the field. Secure transport (TLS)
- Connection is TLS encrypted
- Connection is not TLS encrypted
Select this option to include messages that are (or aren't) TLS-encrypted in your compliance expression. Message size
- is greater than the following (MB)
- is less than the following (MB)
Select this option to include messages greater (or less) than the specified size in your compliance expression. Enter the message size in MB in the field.
You have the option to set up Content compliance settings using regular expressions. A regular expression, also called a regex, is a method for matching text with patterns. For example, a regular expression can describe the pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.
This section enables you to specify what action to perform on a message when the conditions are met for a Content compliance setting. Three options are available in the drop-down list: Modify message and, Reject message, and Quarantine message.
This option enables you to modify messages by adding headers, changing the delivery (route), changing the envelope recipient, adding more recipients (additional, or secondary routes), or removing attachments.
Content compliance routing enables you to implement special handling for certain types of email; for example, to route messages with specific content to your legal department. Do this by defining a new primary delivery—or by creating additional deliveries—that match specific text strings or patterns. For example, you can set up a content match on a word, such as confidential, and then change the primary delivery to a server that supports encryption.
See the sections below for detailed descriptions of the various ways you can modify a message.
This option rejects the message before it reaches the intended recipient. You can enter customized text for the rejection notice.
This option sends the message to an admin quarantine, where you can review the message before deciding whether to send it to its intended recipient or reject it.
Note: We recommend that you use routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using a Content compliance setting or a Routing setting; but, use a Content compliance or Objectionable content setting for content-related use cases, and use a Routing setting for general routing-related use cases, such as dual delivery.
For more details and step-by-step instructions about mail routing, including use cases and examples, see Manage mail routing and delivery: Guidelines and best practices.
By checking this box, a header tag is added in case the recipient is changed so that the downstream server can know the original envelope recipient; for example, X-Gm-Original-To: firstname.lastname@example.org.
Adding the X-Gm-Original-To header is useful if you're rerouting a copy of the message to another recipient. In this case, you're changing the recipient address, but the new recipient wants to know the address of the original envelope recipient, and can see the original envelope recipient by checking the X-Gm-Original-To header box in the message.
Messages that are routed through Gmail are automatically filtered for spam and phishing. Selecting the Add X-Gm-Spam header and X-Gm-Phishy header option adds the following headers to indicate the spam and phishing status of the message:
0 indicates that a message is not spam: X-Gm-Spam: 0
1 indicates that a message is spam: X-Gm-Spam: 1
0 indicates that a message is not phishing: X-Gm-Phishy: 0
1 indicates that a message is phishing: X-Gm-Phishy: 1
Selecting the Add X-Gm-Spam header and X-Gm-Phishy header option enables an administrator at a downstream server to set up rules that handle spam and phishing differently from clean mail.
You can add one or more custom headers to messages that are affected by a Content compliance setting, or other setting. For example, you can add a header that matches the description that you entered for the setting. This can be helpful for analyzing why a message was routed in a certain way, or why a filter was triggered.
You can enter a string to prepend to the subject of messages. For example, if you enter Confidential in this field, message recipients might see [Confidential] Monthly report.
The Change route option enables you to change the destination of the message. By default, the Gmail mail server is the primary delivery location. However, you can change the delivery location; for example, by routing mail to an on-premise mail server such as Microsoft Exchange.
Before you can change the delivery location, you must first add mail routes with the Hosts tab. The routes that you add on the Hosts tab are then visible in the route drop-down list.
The Reroute spam option is visible when you check the Change route box. Reroute spam enables you to route all mail that matches the criteria of the setting, including mail that has been marked as spam. If you check the Change route box but do not check the Reroute spam box, then normal mail is rerouted but spam mail is not rerouted (spam messages are stored in the Google Apps platform for 30 days).
- Whether you check the Reroute spam box or not, blatant spam is not rerouted since it’s dropped instantly at delivery time.
- If mail is classified as spam but one of the Google Apps email settings overrides that (for example, due to a sender whitelist), then the mail is not considered to be spam for this purpose and will be rerouted as normal mail.
To change the envelope recipient, click the option next to the Replace recipient field, and enter the user's email address; for example, email@example.com.
Changing the envelope recipient for a message on the primary delivery normally delivers to the replaced recipient only. However if you enable the comprehensive mail storage setting, delivery occurs to both the original recipient and the replaced recipient. You can also change the envelope recipient on the additional (secondary) delivery, which is equivalent to a "bcc".
Select this option to deliver incoming messages to recipients even if the spam filter identifies these messages as spam.
Select this option to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.
- Check the Add more recipients box to set up additional (or secondary) deliveries for dual delivery or multiple delivery.
- Click Add.
- Select Basic from the drop-down list to add individual email addresses, and then click Save. Click Add to add multiple recipient addresses.
- Select Advanced from the drop-down list to choose advanced options for your secondary delivery. Similar to the settings that you modified for the primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for the secondary deliveries.
Any settings that you configure for the primary delivery also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries.
For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default. Suppress bounces from this recipient prevents bounces from going back to the original sender.
By default, when a user sends email to or receives email from a given address or domain, Google Apps Gmail checks to see if secure transport (TLS) is available for that address or domain. If so, Gmail delivers the message using secure transport. If not, Gmail delivers the message over a non-secure connection.
However, you can use the Content compliance setting to require mail to be transmitted via a secure connection when the requirements are met for the setting.
To require secure delivery for outbound messages: Check the Secure transport box. If TLS isn't available either in the sending or receiving side, the message won't be sent.
Click Show options to configure additional options for this setting. For details, see the sections below.Approved address lists
Check the Bypass this setting… box to allow messages from a specific set of addresses or domains to bypass a Content compliance setting. A message from these addresses or domains is delivered even when the message matches the conditions of a Content compliance setting (note that other settings may still cause the message to be blocked).
To create a list of addresses or domains that bypass the Content compliance setting:
- In the Options section, check the Bypass this setting… box.
- Click Use existing or create a new one.
- Select the name of an existing list, or enter a custom name for a new list in the Create new list field, and then click CREATE.
- Hover over the list name, and click Edit.
- To add email addresses or domains to the list, click Add.
- Enter an email address or domain name; for example, solarmora.com.
Note: Click Do not require sender authentication to bypass the Content compliance setting for approved senders that do not have authentication (such as SPF or DKIM) enabled. Use this option with caution as it can potentially lead to spoofing.
- Click Save > Add again to include additional email addresses or domains in the list.
The Content compliance setting will only apply to the account types that you select: Users, Groups, and/or Unrecognized / Catch-all.
For example, you can configure an Inbound setting that only applies to groups (the groups must be the recipient); or if you’re configuring an Outbound setting, the account type selected must match with the sender.
To save the Content compliance setting, you must check at least one of these boxes. By default, only Users is checked, since it's the traditional use case.
If you’re configuring the top-level org on the Gmail advanced settings page, all three of these options are available. If you’re configuring any of the sub-level organizational units, only the Users options is available.
By default, all recipients and senders in your top-level organization or organizational unit are affected by the Content compliance setting. However, you can choose to have this setting affect only specific envelope senders and recipients. You can specify single recipients by typing an email address for that user, and you also have the option to specify groups.
To set up an Envelope filter, check the Only affect specific envelope senders box and/or the Only affect specific envelope recipients box, and choose one of the following options from the drop-down list:
- Single recipient—Specify a single user by typing an email address; for example, firstname.lastname@example.org.
- Pattern match—With this option, type a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to three specific users by typing the list of users using the following regular expression syntax:
For more information about using regular expressions, see Guidelines for using regular expressions.
- Group membership—Select one or more groups in the list (if you haven’t done so already, you’ll need to create groups).
When you're finished, click Add Setting to confirm your changes, and then click Save changes at the bottom of the advanced settings page.