As an administrator, you can set up rules to determine whether messages containing certain words, such as obscenities, are rejected, quarantined, or delivered with modifications.
For example, you can:
- Reject outbound messages that might contain sensitive company information, such as when your outbound filter detects the word "confidential."
Quarantine a message that has an objectionable word.
Notify others when a message has an objectionable word.
You use the Objectionable content setting to create word lists for filtering for objectionable content, and to specify what action to perform for messages with this content.
Note: If you use objectionable content rules and dynamic email for your organization, learn how compliance rules are applied to dynamic messages.
How word matching works
Consider the following when you create a custom word list:
- Capitalization is ignored. For example, "BAD" matches "bad", "Bad", and "BAD".
- Only complete words are matched. For example, if you add "bad" to the custom word list, "badminton" is not matched.
- Word searches are performed on subject, body, and text attachments.
- Entering objectionable content inside square brackets, for example, [BAD], causes the rule to fail, even if the text in the message, including the brackets, matches the content.
Note: If you need a rule to trigger for text enclosed in square brackets, create a content compliance rule to trigger on the regular expression
When a message matches an objectionable content rule, you can:
- Reject it
- Quarantine it
- Deliver it with modifications
How settings are applied
Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization. You can also add multiple rules to each organization.
When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, read How multiple settings affect message behavior.
Note: Objectionable content filtering does not currently support localized text with non-ASCII characters.
Enhance message security with hosted S/MIME
Depending on your edition, you can improve message security with S/MIME. For example, set up a rule that requires S/MIME encryption for outgoing messages. Set this rule up with the Encryption option, described in Step 4 above.
For an overview, see Enhance message security with hosted S/MIME.
Set up an objectionable content rule
Initial step: Go to Gmail Compliance settings in the Google Admin console
In the Admin console, go to Menu AppsGoogle WorkspaceGmailCompliance.
- Scroll to the Objectionable content setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
- For each new setting, enter a unique description.
Go to the next step to configure the setting.ad
Step 1: Enter email messages to affect
You can set up the rule for inbound, outbound, or internal messages. Internal messages are sent and received within the domains and subdomains associated with your organization.
Check the boxes next to the messages you want the rule to apply to.
Go to the next step to continue.
Step 2: Add words you want to search for in each message
You can use the Custom objectionable words list to create your own list of objectionable words.
To create a list of objectionable words:
- Click Edit Add.
- Enter the words, separated by spaces or commas.
- Click Save. You might need to scroll to see it.
- Go to the next step to continue.
Step 3: Specify what happens if the message contains objectionable words
Specify whether to modify, reject, or quarantine a message when conditions are met. (Details below.)
Configure the options for the action you choose.
(Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters, below, for details.
Go to Save the configuration.
Note: A limit of 100 additional recipients applies for each rule. For this reason, consider using groups for large lists.
Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied.
Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.
Sends the message to an admin quarantine where you can review the message before you send or reject it. This option is only available for the Users account type. For details, see Account types to affect.
To notify your users when their sent messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.
Add headers, remove attachments, change the envelope recipient, add more recipients, and change the route. For details, read Options for modifying messages.
Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using an Objectionable content setting or a Routing setting. Use an Objectionable content setting for objectionable content, and a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing, including use cases and examples.
Add X-Gm-Original-To header
Add a header tag if the recipient is changed. When you do, the downstream server will know the original envelope recipient. An example of the header tag format is X-Gm-Original-To: firstname.lastname@example.org.
Add X-Gm-Spam and X-GM-Phishy headers
Add headers to indicate message spam and phishing status. Administrators for a receiving servers can use this information to set up special rules for managing spam and phishing messages. For details, go to Add spam headers setting to all default routing rules.
Add custom headers
Add custom headers to messages affected by this setting. For example, you can add a header that matches the description you entered for the setting. This can help you determine why a message was routed in a certain way, or why a rule was triggered.
Prepend custom subject
You can add custom text to the beginning of the subject line for select messages. For example, you can enter Confidential for sensitive emails. If a message with the subject Monthly report triggers the rule, recipients see the following subject: [Confidential] Monthly report.
Change route and Also reroute spam
Change the route—You can change the destination of the message from the default Gmail server to a different mail server, such as Microsoft Exchange.
Note: Before you can change the route, you need to add the new route in the Admin console. For details, go to Add mail routes for advanced Gmail delivery.
Also reroute spam—This option is available if you select Change the route. Blatant spam is dropped instantly at delivery time. However, check the Also reroute spam box to route any additional email you mark as spam. Leave the box unchecked to route normal messages, but not spam. Admin console email settings (for example, a list of preauthorized senders) overrides spam settings.
- Suppress bounces from this recipient—Check this box to prevent bounced messages from being rerouted to the configured mail route. For example, you might want to prevent bounced messages from being rerouted to an automated system. Leave this box unchecked if you want the receiving mail system to get bounced messages, for example so senders know when their message isn't delivered.
Change envelope recipient
The message bypasses the original recipient’s mailbox and goes to the new recipient.
You can change the envelope recipient in one of the following ways:
- Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as email@example.com.
- Replace username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
- Replace domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change the route control, the specified route determines the destination server.
If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.
Bypass spam filter for this message
Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies only to incoming messages. You can’t bypass spam filters for outgoing messages. Note: This option is not available for the Groups account type. For details, go to Account types to affect.
Remove attachments from message
You can remove any attachments from messages. You can also append text to notify recipients that attachments were removed.
Add more recipients
- To set up dual or multiple delivery, check the Add more recipients boxclick Add .
- To add individual email addresses, select Basic from the listclick Save.
- (Optional) To add more addresses, click Add .
- (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.
You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries. Note: The Do not deliver spam to this recipient advanced option isn't supported for the Groups account type.
When you add recipients, consider that:
- Each rule has a limit of 100 additional recipients.
- Settings for the primary delivery also apply to the secondary deliveries.
- For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
- Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.
Encryption (onward delivery only)
By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.
To require all messages meeting the conditions in the setting to be transmitted through a secure connection, check the Require secure transport (TLS) box. If TLS isn't available on the sending or receiving side, the message won't be sent.
If you have an Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.
Tip: We recommend that you test new rules to make sure they work correctly for your organization. For more information, see Best practices for faster rules testing.
To set up additional options for a routing policy, such as creating address lists or choosing the account types it will affect, at the bottom, click Show options.
An address list is a list of email addresses and domains that you create. Use address lists to apply or bypass settings for the email addresses and domains in the list. Read detailed information about address lists, and how they're used with Gmail settings.
For address list matching, Gmail checks:
- Incoming messages—The sender domain or email address against the address list
- Outgoing messages—The recipient domain or email address against the address list
To use address lists in this setting:
- Click Show options.
- Check the Use address lists to bypass or control application of this setting box.
- (Routing settings only) Select an Apply address list to correspondents option for address list matching:
- Apply address lists to correspondents—Check the "from" field for received mail, and the recipients for sent mail. For senders, the Authentication required option is also checked (see details in Step 8).
- Apply address list to recipients—Check that recipients are in the address lists.
Note: This option isn't available in Gmail content compliance settings.
- Select an option for bypassing or applying this setting:
- Bypass this setting for specific addresses/domains—Bypass the setting entirely if there's an address list match. All other criteria in the setting is ignored.
- Only apply this setting for specific addresses/domains—Use an address list match as a condition for applying the setting. If there are other criteria in the setting, those conditions must also match for the setting to be applied. Examples of other criteria are match expressions, account types, and envelope filters.
- Click an address list option:
- Use existing list—Select the name of an existing address list, then go directly to Step 9.
- Create or edit list—The Add address list box or Manage address list tab opens. Complete Steps 6–9.
- In the Add address list box, enter the name of the new address list.
To enter email addresses or domains to the list one at a time, click Add Address. To enter a comma-separated list of addresses or domains, click Bulk Add Addresses.
To bypass the setting for approved senders that don't use authentication, turn off the Authentication required option. Be aware that turning off authentication requirements can increase the possibility of getting spam or spoofed messages. Learn more about sender authentication.
When you're done, continue to Account types to affect.
Account types to affect (Required)
Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.
Select one or more account types that the setting applies to:
- Users (default)—The setting applies to provisioned users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
- Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
- Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned users. This selection only applies to received and inbound email.
Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:
- Add X-Gm-Spam and X-Gm-Phishy headers
- Bypass spam filter for this message
- Also reroute spam
When you're finished, go to Add and save the setting.
To affect only specific envelope senders and recipients, set up an envelope filter:
- At the bottom of the Add setting window, click Show options.
- Check one or both of these options:
- Only affect specific envelope senders
- Only affect specific envelope recipients
- From the list, choose an option:
- Single email address—Enter the complete email address for a user.
- Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:
Learn more about Guidelines for using regular expressions.
- Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, first create the group.
Note: This option affects group members, and members of child groups. For example, if Group B is a member of Group A, this option affects members of Group A and Group B.
When you're finished, go to Save the configuration.
Save the configuration
Final step: Add and save the setting
- Click Add setting or Save.
New settings appear on the Gmail Compliance settings page.
- At the bottom, click Save.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.