Control sensitive data shared in Gmail (beta)

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus.  Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

You can create data loss prevention (DLP) rules in the Google Admin console to control sensitive content shared in Gmail by your users. Rules apply to messages sent to users inside and outside of your organization. Use rules to flag sensitive information and keep it from leaving your organization.

On this page

DLP for Gmail features

You can:

  • Create data protection rules for Gmail or multiple Google Workspace apps with DLP, such as Gmail and Google Chat and Drive.
  • Implement different actions for rule violations. For example, you can block Gmail message delivery and send the user a notification (Block message), quarantine a message for review by an admin before it’s sent or returned (Quarantine message), or send the message but log the event for future audit to assess the impact of new rules (Audit only).
  • Define conditions using text strings and predefined and custom detectors, such as keywords and regular expressions.
  • Enforce data protection rules for a specific organizational unit or group or your entire organization.
  • Alert admins about rule violations in the alert center so they can investigate.
  • Scan image text in all message attachments using optical character recognition (OCR).

How does DLP for Gmail work?

When a user sends a Gmail message, DLP scans the message for sensitive content. If a message or attachment violates a rule, the action defined in the rule applies to the message.

Summary of flow:

  1. You create DLP rules that define content that’s sensitive and should be protected.
  2. A user sends a Gmail message, and DLP scans the content for rule violations. 
  3. If a rule is violated, DLP executes the action defined in a rule.
  4. All events are logged in Rule log events for review.

Recommendations on beta configuration

  • Asynchronous and synchronous scanning—With DLP for Gmail, data protection rules are scanned asynchronously, which means that the message is blocked or quarantined after it leaves the sender’s mailbox and before being dispatched to the recipient.
    Coming soon: Scan data protection rules synchronously with the Send button to notify users about sensitive content in a message before it leaves their mailbox.
  • Use the Audit only option—We recommend selecting Audit only when you’re setting up a rule during the beta. With this option, you allow messages that match the conditions of a rule to be delivered seamlessly, with the detection being logged. This allows you to test new rules and monitor their performance, or to passively monitor the environment without interrupting email flow for your users.

What is scanned?

Only outgoing messages are scanned. What’s scanned depends on what you select for the rule:

  • All content—The message's header, subject, body, and attachments are scanned. 
  • Body—The body and attachments are scanned. 
  • Email headers—The header and subject are scanned. 
  • Subject—The subject is scanned.

Attachments include files and images. The attachment filename itself is also scanned (for supported file types).

Supported attachment file types

The following attachment file types are scanned:

  • Document file types—TXT, DOC, DOCX, RTF, HTML, XHTML, XML, PDF, PPT, PPTX, ODP, ODS, ODT, XLS, XLSX, PS, CSS, CSV, JSON, SH
  • Image file types (if OCR is turned on)—EPS, BMP, GIF, JPEG, PNG, and images within PDF files. 
  • Compressed file types—ZIP
  • Custom file types—HWP, KML, KMZ, SDC, SDD, SDW, SXC, SXI, SXW, WML, XPS

How does DLP for Gmail coexist with other rules?

Data protection rules are evaluated before content compliance rules and routing rules. If a message is not flagged by a data protection rule, additional scanning occurs for any content compliance and routing rules. If a message is rejected by a data protection rule, scanning will not occur for any other rules. If a content compliance or routing rule results in a new instance of a message (for example, adding a new recipient), the new messages will go through the entire scanning cycle. For details on content compliance rules, go to Set up rules for advanced email content filtering.

Known limitations

For message scanning limits, go to DLP for Gmail content limits.

Create a data protection rule for Gmail

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. For Classify and protect your sensitive content, click Create rule.
  4. Click Name and enter a name for the rule and, optionally, a description.
  5. For Scope, choose an option:
    • To apply the rule to your whole organization, select All in domain.name.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude the organizational units and groups.
  6. Click Continue.
  7. (Optional) To verify if OCR is turned on, click Check and check the Gmail box to turn OCR on for Gmail.
  8. For Gmail, check the Message sent box.
  9. Click Continue.
  10. (Optional) To add a condition:
    1. Click Add Condition. For Gmail, you can choose to scan:
      • All content (header, subject, body, and attachments)
      • Body (body and attachments)
      • Email headers (header and subject)
      • Subject (subject)
      If the message is sent with Google Workspace Client-side encryption, only the content of the email headers (including subject) can be scanned.
    2. Click What to scan for and complete the needed attributes for the type of scan.
    If you create a rule with no condition, the rule applies the specified action to every Gmail message and all content.
  1. Click Continue
  2. Click Action and choose an option:
    • To not deliver messages and have the sender get a notification, select Block message.
    • To quarantine messages, select Quarantine message and for Select a quarantine, choose the quarantine condition to apply to the messages.
    • To assess new rules and send messages but log the event to review later, select Audit only.
    All actions are logged in Rule log events.
  1. For Select when this action should apply, choose if the action should apply to messages sent to external or internal recipients or both.
  1. (Optional) To create a customized message to help users understand why their message was blocked, for Block message, check the Customize message box and enter your message. You can create messages up to 300 characters long (includes length of URL) and insert links. If you don’t create a custom message, the user will see the default message.
  2. (Optional) To choose a severity level for how to report events triggered by this rule in the Admin console, for Alerting, select Low, Medium, or High. The severity level is logged in the Rule log events and can be used to investigate incidents.
  3. (Optional) To choose whether an event triggered by this rule should also send an alert to the alert center, check the Send to alert center box and to send a notification about the alert to all super admins, check the All super administrators box. You can enter other email recipients as well for notifications.
  4. Click Continue and review the rule details. 
  5. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists but does not run immediately. This option gives you time to review the rule and share it with team members before implementing. To activate the rule later, in the Admin console, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, change the status to Active, and click Confirm
  6. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Investigate DLP rule violations using the security investigation tool

Run a search for Rule log events

The following example runs a search to investigate Gmail messages that violated a DLP rule. You can use other conditions in your search or no conditions at all.

  1. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  2. Click Data source and select Rule log events.
  3. Click Add Conditionand thenAttributeand thenRule type.
  4. Choose DLP.
  5. Click Search.
    From the search results at the bottom of the page, you can view a list of events, with details about each event.

    Note: Sensitive content snippets are not supported for Gmail DLP (beta). As a result, the Has sensitive content column will show False even if a message contains sensitive content that has triggered a DLP rule.

  6. Scroll to the Resource ID column and click Menuto pivot from Gmail log events > Message ID.
  7. Click Search to open a new search page where Gmail log events is the data source.
  8. To drill down and view additional details, click Message ID for any line in the search results. In the side panel, you can review any additional details about your investigation.
  9. If prompted, enter text to justify the business need for viewing Gmail content and click Confirm.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu