Search
Clear search
Close search
Google apps
Main menu

Set up rules for content compliance

As a G Suite administrator, you can set up rules to handle messages that contain content that matches one or more expressions.

For example, you can:

  • Reject outbound messages that might contain sensitive company information, such as when your outbound filter detects the word “confidential.”

  • Set up a metadata match on a range of IP addresses, and quarantine messages from IP addresses that are outside of the range.
  • Route messages with content that matches specific text strings or patterns to your legal department.

Compliance rules

Content compliance rules are based on predefined sets of words, phrases, text patterns, or numerical patterns. You can set up a simple match, advanced, and metadata matches.

You can also set up a predefined content matchThis feature is available with G Suite Business and Enterprise editions. Compare editions

Content compliance supports scanning text attachments and common attachment types, such as .doc, .xls, and .pdf, as well as non-ASCII characters. Both simple content and advanced content matches that apply to message body text will also apply to text extracted from attachments. Any rule that applies to the message body text also applies to the extracted text. 

Gmail attempts to convert binary attachments, such as Microsoft Word documents, to text. Any rule that applies to the message body text also applies to the converted text.

Compliance actions

When a message matches a content compliance rule, you can:

  • Reject it
  • Quarantine it
  • Deliver it with modifications

How settings are applied

Unless modified in the Options section, the setting applies to all users in an organizational unit. Users in child organizations inherit the settings you create for the parent organization. Inherited settings can be disabled in child organizations, preventing the disabled setting from applying to the child organization, as well as it's grandchild organizations. You can also add multiple settings to each organization.

Enhance message security with hosted S/MIME

You can enhance message security using advanced features for Secure/Multipurpose Internet Mail Extensions (S/MIME). For example, you can set up a rule that requires the use of S/MIME encryption for outgoing messages. You set this up with the Encryption option, described in Step 3.

You can also use S/MIME-related metadata attributes in expressions. You set this up by defining a metadata match, described in step 2.

For an overview, see Enhance message security with hosted S/MIME.

This feature is only available with G Suite Enterprise.

Set up a content compliance rule

Initial step: Go to Gmail advanced settings in the Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. (Optional) On the left, select the organization.

  4. Scroll to the Content compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another

  5. For each new setting, enter a unique description.

  6. Go to the next step to configure the setting.

Step 1: Enter email messages to affect

You can set up the rule for inbound, outbound, or internal messages. Internal messages are sent and received within the domains and subdomains associated with your organization

  1. Check the boxes next to the messages you want the rule to apply to.

  2. Go to the next step to continue.

Step 2: Add one or more expressions to specify what's searched

You can add up to 10 expressions, but you need to individually add and save them.

  1. From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.

  2. Click Add.

  3. From the list, choose the type of match you want to use for the expression:

    • Simple content match—Enter the content to match. Simple content matching works like the search function in Gmail. For example, if you search for “a word,” any string with “a” and “word” is returned, such as “a new and different word.”

    • Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number (for US). Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger the action if the detector in the message meets a confidence threshold. For details, see Scan your email traffic using data loss preventionThis feature is available with G Suite Business and Enterprise editions. Compare editions

    • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types.

    • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the table below for a description of metadata attributes and match types.

  4. Click Save. You might need to scroll to see the new expression.

  5. Go to the next step to continue.

Advanced content match location

Location Description

Headers and body

The full headers plus the body. Includes attachments (MIME parts decoded).

Full headers

All header fields. Doesn't include the message body or attachments.

Body

The main text portion of the email message. Includes attachments (MIME parts encoded).

Subject

The subject of the message as present in the email header.

Sender header

The sender's email address as reported in the From: header. It can be different than the sender reported in the Envelope sender.

The sender header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

From: Jane Doe <jdoe@example.com>

The sender header is jdoe@example.com.

Note: The left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, jane.doe@gmail.com is converted to janedoe@gmail.com.

Recipients header

The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string. To set up a rule for messages sent to multiple users, use Full headers.

The recipient header consists of the email address, located within the angle brackets, and does not include the account name.

For example, consider:

To: Jane Doe <jdoe@example.com>
Cc: John Doe <johndoe@example.com>
Bcc: John Smith <jsmith@example.com>

The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.

Envelope sender

The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.

Any envelope recipient

The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion.

This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule does not match against all of the recipients in one string.

Raw message

The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts are not decoded. This is equivalent to RFC-2822 message bytes.

Advanced content match type

Match type Description

Starts with

Searches the selected location for content that starts with the specified character or string.

Ends with

Searches the selected location for content that ends with the specified character or string.

Contains text

Searches the selected location for content that contains the specified string.

Not contains text

Searches the selected location for content that does not contain the specified string.

Equals

Searches the selected location for content that exactly matches the specified string.

Is empty

Searches the selected location for content that is empty.

Matches regex

Searches the selected location for content that matches the specified regular expression. See About regex matching, below.

Not matches regex

Searches the selected location for content that does not match the specified regular expression. See About regex matching, below.

Matches any word

Searches the selected location for content that matches any word in the specified list of words.

Matches all words

Searches the selected location for content that matches all words in the specified list of words.

About regex matching

You use the Matches regex and Not matches regex advanced content match types to set up content compliance rules that use regular expressions.

What is regex?

A regular expression, also called a regex, is a method for matching text with patterns. For example, a regex can describe a pattern of email addresses, URLs, telephone numbers, employee identification numbers, social security numbers, or credit card numbers.

To learn more about regular expressions, see:

Note: Each regex expression in a content compliance rule is limited to 10,000 characters.

Why is the match location important?

It’s important to select the appropriate match location for your use case when formulating your regex. The match location (see table above) specifies which component of the message to scan for matches.

For certain match locations, the content to match is split into pieces before being scanned by the regex. For example:

  • Recipient header: The To:, Cc:, and Bcc: fields of a message header are split into individual email addresses that are compared one at a time against the regex pattern. So if you wanted to detect messages sent to 5 or more users, the Recipient header match location wouldn’t work. Instead, you could select Full headers and enter a regex pattern like this: To: ^[^@](?:@[^@]){5}.
  • Full header: Scanning across multiple message header fields isn’t supported; instead, each header field is compared one at a time against the regex. For example, the To: field is examined as one string and the Cc: field is examined as another string. This means you can't create a single regex expression intended to span the To: and Cc: fields at the same time.

Note: If a single field, such as "Authentication Results," spans multiple lines, the regex can scan across those lines, but the spacing at the beginning of each line is stored as part of that field. You must therefore account for spaces with a wildcard or explicitly in the expression.

What's the minimum match count option?

When you set up a content compliance rule to match a regex, you enter the regex and two optional fields: a description of the regex and a minimum match count.

The minimum match count option specifies the number of times the regex must appear in the match location to trigger the rule’s action. For example, if you enter 2, the regex pattern must appear at least 2 times in the match location to trigger any action on the message.

Metadata attributes and match types

The attribute and available match type combinations include the following:

Attribute Match type Description

Message authentication

  • Message is authenticated
  • Message is not authenticated

Select this option to include messages that are or aren't authenticated in your compliance expression.

Conforms to the DMARC standard. Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.

Note: Neutral is considered fail.

Source IP

  • Is within the following range

  • Is not within the following range

Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field.

Secure transport (TLS)

  • Connection is TLS encrypted

  • Connection is not TLS encrypted

Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.

S/MIME encryption

  • Message is S/MIME encrypted

  • Message is not S/MIME encrypted

Select this option to include messages that are or aren’t S/MIME encrypted.

This feature is only available with G Suite Enterprise.

S/MIME signature

  • Message is S/MIME signed

  • Message is not S/MIME signed

Select this option to include messages that are or aren’t S/MIME signed.

This feature is only available with G Suite Enterprise.

Message size

  • Is greater than the following (MB)

  • Is less than the following (MB)

Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

Step 3: Specify what happens if expressions match

  1. Specify whether to modify, reject, or quarantine a message when conditions are met. (Details below.)

  2. Configure the options for the action you choose.

  3. (Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters, below, for details.

  4. Go to Save the configuration.

Reject message

Rejects the message before it reaches the intended recipient. You can enter customized text for the rejection notice.

For matching messages, no other routing or compliance rules will be applied. The message will simply be rejected.

Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is required by the email SMTP standard, so you can’t delete it.

Quarantine message

Sends the message to an admin quarantine where you can review the message before deciding to send it or reject it. Available only for the Users account type. See Account types to affect below.

To notify your users when their sent messages are quarantined, check the Notify box. 

Modify message

You can modify messages by doing things like adding headers, removing attachments, changing the envelope recipient, adding more recipients (additional or secondary routes), and changing the route.
 
Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using a Content compliance setting or a Routing setting. Use a Content compliance setting for content-related use cases, and a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing, including use cases and examples.

Controls

Add X-Gm-Original-To header

Check this box to add a header tag if the recipient is changed. That way, the downstream server will know the original envelope recipient. An example of the header tag format is X-Gm-Original-To: user@solarmora.com

Headers are useful if you're rerouting a copy of the message to another recipient. In this case, you're changing the recipient address, but the new recipient can still see the address of the original envelope recipient. They can see the original envelope recipient by checking the X-Gm-Original-To header in the message.

Add X-Gm-Spam and X-GM-Phishy headers

Gmail messages are automatically filtered for spam and phishing. Check the Add X-Gm-Spam and X-Gm-Phishy headers box to add these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail.

  • X-Gm-Spam: 0 indicates the message isn't spam.
  • X-Gm-Spam: 1 indicates the message is spam.
  • X-Gm-Phishy: 0 indicates the message is not phishing.
  • X-Gm-Phishy: 1 indicates the message is phishing.

Any message marked phishy is automatically marked spam as well.

If you add X-Gm-Spam and X-Gm-Phishy headers to your messages, consider where the message is being routed to next. A rerouted message is often no longer classified as spam when it reaches its destination because elements of the message, such as the sending IP address, have changed.

If your messages are rerouted to your downstream server, set up rules on that server to read these headers and prevent messages with X-Gm-Spam: 1 or X-Gm-Phishy: 1 tags from being delivered to users’ inboxes.

If your messages are rerouted back to Google, create an Inbound gateway setting to mark tagged messages as spam, or a Content compliance setting to send them to the Admin Quarantine for review.

Note: If the Account types to affect is set to Groups, the X-Gm-Spam and X-Gm-Phishy header tag values are always set to 0. See Account types to affect, below, for information on the account types.

Add custom headers

You can add one or more custom headers to messages that are affected by this setting. For example, you can add a header that matches the description that you entered for the setting. Doing this can help you analyze why a message was routed in a certain way or why a rule was triggered.

Prepend custom subject

You can enter a string to prepend to the subject of applicable messages. The string will appear in brackets at the beginning of the subject. For example, you could enter Confidential in this field for sensitive emails. If a message triggers the rule and its subject is Monthly report, recipients will see the following subject: [Confidential] Monthly report.

Change route and Also reroute spam

  • Change route—Changes the destination of the message. By default, the Gmail server is the primary delivery location. However, you can change it to route messages to a different mail server, such as Microsoft® Exchange.

    Note: Before you can change the route, you need to add the route using the Hosts tab. After it's added, it'll appear in the Change route list.

  • Also reroute spam—Appears if you select Change route. Also reroute spam lets you route all email that matches the criteria of the setting, including messages marked as spam. 

    If you don't check the Also reroute spam box, then normal messages are rerouted, but spam messages aren't.

Notes:

  • Whether or not you select Also reroute spam, blatant spam is not rerouted because it’s dropped instantly at delivery time.

  • If a message is classified as spam but one of the G Suite email settings overrides it (for example, due to a sender whitelist), then the message isn't considered to be spam for this purpose and it's routed as a normal message.

Change envelope recipient

You can change the envelope recipient in one of the following ways:

  • To replace the recipient’s entire email address, after Replace recipient, enter the full email address, such as user@solarmora.com.

  • To replace just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.

  • To replace just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.

Changing the envelope recipient for a message on the primary address is equivalent to forwarding a message to a different recipient. The message bypasses the original recipient’s mailbox and is routed back to the internet for delivery to the new recipient. The To: address remains the original recipient address, even though the envelope recipient is replaced.

The destination server is determined by an MX lookup on the new recipient's domain. Or, if you’re using the Change route control, the destination server determined by the specified route.

If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.

Bypass spam filter for this message

Check this box to deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies to incoming messages only—you can’t bypass spam filters for outgoing messages.

Note: This option applies to the Users and Unrecognized / Catch-all account types, and not the Groups account type. See Account types to affect, below, for information on the account types.

Remove attachments from message

Check this box to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.

Add more recipients

  1. Check the Add more recipients box and then click Add to set up dual delivery or multiple delivery.

  2. Select Basic from the list to add individual email addresses and then click Save. Click Add to add more addresses.

  3. Select Advanced from the list to choose advanced options for your secondary delivery. Similar to the settings for primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries.

Notes:

  • Any settings that you configure for the primary delivery also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries. If you change the envelope recipient, the To: address still remains the original recipient address.

  • For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default. If the message is spam, this option discards the copy of the message being sent to the additional recipient. Suppress bounces from this recipient prevents bounces from going back to the original sender.

Encryption (onward delivery only)

By default, Gmail always attempts to deliver messages using secure transport (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.

Check the Require secure transport (TLS) box to include secure delivery as part of content compliance for outbound messages. This requires all messages meeting the conditions in the setting (such as match expressions, account types, and envelope filters) to be transmitted via a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.

Check the Encrypt message if not encrypted (S/MIME) box to make sure that certain messages can’t be sent unless they are S/MIME encrypted. See note below.

Also check the Bounce message if unable to encrypt box to bounce messages that aren’t S/MIME encrypted.

Learn more about enhancing message security with hosted S/MIME.

Note: This feature is only available with G Suite Enterprise.  

 

Configure additional parameters

Click Show options to configure additional options for this setting.

Address lists

You can specify address lists as a criteria for whether to bypass or apply a given content compliance rule. Address lists can contain email addresses, domains, or both.

To determine if there's an address list match, G Suite considers the "from" field for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. (Details below.) If there are multiple lists, the address must match at least one of the lists.

The options for whether to bypass or apply a given content compliance rule are:

  • Bypass this setting for specific addresses / domains—Skips the setting entirely if the address list matches, regardless of any other criteria specified in the setting.
  • Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the setting is applied. If there are other criteria in the setting, such as match expressions, account types, or envelope filters, those conditions must also match for the setting to be applied.

To create an address list:

  1. In the Options section, check the Use address lists to bypass or control application of this setting box.

  2. Select one of the options:

    • Bypass this setting for specific addresses / domains

    • Only apply this setting for specific addresses / domains

  3. Click Use existing or create a new one.

  4. Select the name of an existing list, or enter a custom name for a new list in the Create new list field, and then click Create.

  5. Hover over the list name, and click Edit.

  6. To add email addresses or domains to the list, click Add.

  7. Enter a full email address or domain name, such as solarmora.com. Or, to add a list in bulk, enter a comma or space delimited list of addresses after clicking add.

    Note: Check the Do not require sender authentication box to bypass the Content compliance setting for approved senders that do not have authentication, such as SPF or DKIM, enabled. Use this option with caution as it can potentially lead to spoofing.

  8. Click Save.

  9. To include additional email addresses or domains in the list, repeat steps 5 to 7.

  10. When you're done, go to Account types to affect.

Account types to affect (Required)

Select one or more account types that the setting applies to. The account types are Users, Groups, and Unrecognized / Catch-all. You can't save the setting if you haven't selected an account type.

If you’re configuring the setting for the top-level organization and you select the Modify message or Reject message action, all 3 account types are available. If the action is Quarantine message, just the Users account type is available.

If you’re configuring a sub-level organization, the only available account type is Users, regardless of the action.

The Groups account type doesn't apply to the Add X-Gm-Spam and X-Gm-Phishy headers control. If the account type is Groups, the headers are always X-Gm-Spam: 0 and X-Gm-Phishy: 0. The Groups account type also doesn't apply to the Bypass spam filter for this message control.

By default, Users is selected, because it's the most common use case. You can select more than one. For example, you can configure an inbound setting that only applies to the Groups account type, and the group must be the recipient. If you’re configuring an outbound setting, the account type must match the sender.

When you're done:

  1. (Optional) Specify an envelope filter.

  2. Go to Save the configuration.

Envelope filter

You can choose to affect only specific envelope senders and recipients. You can specify a single recipient, a number of users using a regular expression, or email groups.

To set up an envelope filter, check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both. Then, from the list, select an option:

  • Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.

  • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to 3 specific users by entering the list of users using the following regular expression syntax:

    ^(?i)(user1@solarmora.com|user2@solarmora.com|user3@solarmora.com)$

    In the expression:

    • ^ matches the start of a new line.
    • (?i) makes the expression case insensitive.
    • $ matches the end of a line.

    Learn about using regular expressions.

  • Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, you'll need to create the group first.

When you're finished, go to Save the configuration.

Save the configuration

Final step: Add and save the setting

  1. Click Add setting or Save. Any new settings are added to the Gmail Advanced settings page.

  2. At the bottom, click Save.

 
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.