Prevent data leaks in email & attachments (beta)

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

You can create data loss prevention (DLP) rules in your Google Admin console to manage sensitive content that your users share in email messages. With DLP for Gmail, rules apply to messages sent to users inside and outside of your organization. Use rules to identify sensitive information and help prevent it from being shared inside and outside your organization.

On this page

DLP for Gmail features

With DLP Gmail, admins can:

  • Create data protection rules for Gmail or for other Google Workspace apps that use DLP, including Gmail, Google Chat, and Drive.
  • Implement different actions for rule violations. For example, you can block email message delivery and send the user a notification (Block message), warn users about sensitive information detected in the message, but allow them to send it anyway (Warn users), quarantine a message for review by an admin before it’s sent or returned (Quarantine message), or send the message and log the DLP event for future audit to assess the impact of new rules (Audit only).
  • Define conditions using text strings and predefined and custom detectors, such as keywords and regular expressions.
  • Add rules that automatically add classification labels to new messages based on conditions you specify. For example, apply a classification label Confidential when messages contain sensitive, financial, or personally identifiable information.  
  • Detect when confidential mode is enabled for a message, and use confidential mode status as a condition to let people send messages with sensitive content.
  • Enforce rules for specific organizational units or group, or for your entire organization.
  • Alert admins about rule violations in the Alert Center so they can investigate.
  • Scan image text in all message attachments with optical character recognition (OCR).

How does DLP for Gmail work?

When a user sends an email message, DLP scans the message for sensitive content. If a message or attachment violates a rule, the action defined in the rule applies to the message.

Summary of flow:

  1. Create DLP rules that define what content is sensitive and should be protected.
  2. When a user sends an email message, DLP scans the content for rule matching. 
  3. If a rule is matched, DLP applies the action defined in the rule.
  4. All events are logged in Rule log events for review. Learn more about rule log events

About synchronous & asynchronous scanning

With DLP for Gmail, data protection rules can be scanned synchronously or asynchronously: 

  • Synchronous scanning–Data protection rules are scanned when the user clicks the Send button. Users are notified of sensitive content before the email message leaves their mailbox, when using Gmail on the web or with a mobile app.
  • Asynchronous scanning–Data protection rules are scanned after the email message leaves the sender’s mailbox. Users get a message that the message is blocked or quarantined before it is dispatched to the recipient. Asynchronous scanning occurs when a user sends a message using a third-party email app, and when synchronous scanning is unsuccessful.

Outcomes of synchronous & asynchronous scanning

Synchronous scanning: Gmail on the web or mobile

When a rule with the Block message action is triggered: 

  • A dialog box opens, alerting the user that the message can’t be sent in its current state. You can add a custom message in the rule for this alert.
  • The box has Back to editing option, so the user can return to editing the message.
  • When the user resends the message after editing, the message is scanned again against all applicable rules.

When a rule with the Warn users action is triggered:

  • A dialog box opens, alerting the user about possible sensitive content in the message. You can add a custom message in the rule for this alert.
  • The box has Back to editing option so the user can optionally return to editing the message.
  • The box has a Send anyway option, so the user can send the message in its current state.

When a rule with the Quarantine message action is triggered:

  • A dialog box opens alerting the user about possible sensitive content in the message. You can add a custom message in the rule for this alert.
  • The box has Back to editing option, so the user can optionally return to editing the message.
  • The box has a Submit for review button, so the user can send the message for review by an admin or other authorized user. After reviewing the message, the admin can approve the message for delivery to the recipient, or decline the message and block it from being sent.

When a rule with the Audit only action is triggered:

  • The user doesn’t see a dialog box and the message is delivered normally to recipients.
  • The message event is recorded in audit logs. Learn more about rule log events

Note: Messages that are scanned synchronously might be scanned one more time asynchronously, as an added security measure. This can result in the message being blocked, even when no dialog box was presented during the synchronous scanning.

Asynchronous scanning: Gmail with SMTP and third-party email app

When a rule with the Block message action is triggered: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this alert.

When a rule with the Warn users action is triggered: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after sending, indicating the message was blocked. You can add a custom message in the rule for this alert.
  • For messages sent using third-party email apps connected to Gmail with SMTP,  rules with a Warn users action behave as rules with a Block message action.

When a rule with the Quarantine message action is triggered: 

  • The sender sees the message in their Sent mailbox.
  • If the admin blocked the message, the sender might get an alert indicating the message was quaranined. You can add a custom message in the rule for this alert.

When a rule with the Audit only action is triggered:  

  • The sender doesn’t get a notification and the message is delivered normally to the recipient.

Asynchronous scanning: Gmail on the web or mobile

When you use Gmail on the web or in a mobile app, messages are scanned asynchronously one more time as an extra security measure

When a rule with the Block message action is triggered: 

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this alert.

When a rule with the Warn users action is triggered, the message is sent:

  • The sender can see the message in their Sent mailbox
  • The message event is recorded in Rule Log Events.

When a rule with the Quarantine message action is triggered: 

  • The sender can see the message in their Sent mailbox.
  • They might get a notification later if message sending was prevented by the reviewer.

When a rule with the Audit only action is triggered:  

  • The sender doesn’t get any notification and the message is delivered to the recipient.

Messages created automatically by other Google products

Gmail sends automated notifications and messages created by other Google and Google Workspace services, including Calendar, Docs, and Drive. For example, when someione creates an event in Google Calendar and invites guests, a Gmail message with the event details is created and send to event participants. The message is scanned on the server side. If message content meets conditions in any rules, the rule action is applied.

When a rule with the Block message action is triggered

  • The sender sees the message in their Sent mailbox.
  • The sender gets a message soon after, indicating the message was blocked. You can add a custom message in the rule for this notification.

When a rule with the Warn users action is triggered, the message is sent

  • The message is sent normally.
  • The sender can see the message in their Sent mailbox
  • The message event is recorded in Rule Log Events

When a rule with the Quarantine message action is triggered: 

  • The sender might get a notification later if message sending was prevented by the reviewer.

When a rule with the Audit only action is triggered:  

  • The message is sent normally.
  • The sender doesn't get any notifications.

What's scanned?

Only outgoing messages are scanned. The Content type to scan selected in the rule determine what part of the message is scanned:

  • All content—Message subject, To, From, Bcc, Cc, and body are scanned synchronously. Attachments are scanned asynchronously. Attachments include files and images. Attachment filenames are also scanned. Go to supported file types on this page.
    Important: Only 5 types of headers (subject, to, from, bcc, cc) are scanned for the All content condition, because they're immediately available for synchronous scanning.To scan all message headers, we recommend using one of these options:
    • Add a condition with the OR operator to scan Email headers
    • Create a separate rule specifically to scan Email headers
  • Email headers—All email header content (in addition to subject, to, from, bcc, cc). All message headers are scanned asynchronously because some message headers aren't are available for synchronous scanning.
  • Body—Message body is scanned synchronously and attachments are scanned asynchronously. 
  • Subject—Subject is scanned synchronously.
  • Classification label—Classification labels that have been manually applied by a user or automatically applied with a DLP rule. A rule can't have both Classification label as a condition and Apply classification labels as an action
  • Confidential modes status—Whether the message has confidential mode enabled. We recommend using this condition with other rule conditions. For example, if the message body contains a tax ID and the message doesn’t use confidential mode, the message is blocked from being sent. Learn more about confidential mode

Supported attachment file types

Data protection rules scan these attachment types:

  • Document file types—TXT, DOC, DOCX, RTF, HTML, XHTML, XML, PDF, PPT, PPTX, ODP, ODS, ODT, XLS, XLSX, PS, CSS, CSV, JSON, SH
  • Image file types (when OCR is turned on)—EPS, BMP, GIF, JPEG, PNG, and images inside PDF files
  • Compressed file types—BZIP, RAR, TAR, ZIP
  • Custom file types—HWP, KML, KMZ, SDC, SDD, SDW, SXC, SXI, SXW, WML, XPS

How does DLP interact with other email rules?

Data protection rules are evaluated before content compliance rules and routing rules.

If data protection rules don't take block or quarantine actions on a messages, the message is then evaluated by content compliance and routing rules. If a content compliance or routing rule applies an action that creates another copy of the message (for example, adds a new recipient), DLP scans the new copies of the message before sending them.
For details on content compliance rules, visit Set up rules for advanced email content filtering.

Known limitations

  • During beta, data protection rules with an Apply classification label action are applied asynchronously only.
    • Don't use the Warn action in rules. During beta, this action is ignored.
    • The sender isn’t notified about classification labels applied to a message, and doesn’t see the label applied to the message in their Sent mailbox.
  • Group alias email addresses are treated as internal recipients. If the group has external members, rules intended for external messages aren’t applied.
  • Rules don’t apply to Groups. If a message is sent on behalf of a Group, rules aren't applied.

For message scanning limits, go to DLP for Gmail content limits.

Create a data protection rule for Gmail

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. On the Classify and protect your sensitive content page, click Create rule.
  4. Click Name and enter a name for the rule and, optionally, a description.
  5. For Scope, choose an option:
    • To apply the rule to your whole organization, select All in domain.name.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.
  6. Click Continue.
  7. (Optional) To verify OCR is turned on, click Check and check the Gmail box to turn OCR on for Gmail.
  8. Under Gmail, check the Message sent box.
  9. Click Continue.
  10. To add a condition, click Add Condition and select the part of the message that is scanned:

    If you create a rule with no condition, the rule applies the specified action to every Gmail message and all parts of the message.

    • All content—Scans message header, subject, body, and attachments.
    • Body—Scans message body and attachments.
    • Email headers—Scans message header and subject. If the message is sent with Google Workspace Client-side encryption (CSE), only the content of the email headers (including subject) can be scanned.
    • Subject—Scans message subject only.
    • Classification labels (beta)—Scans classification labels applied to messages.  During beta, rules with this condition are applied asynchronously. Don’t use a Warn action as a rule condition—it's intended only for synchronous operations.
    • Confidential mode status (beta)—Scans whether confidential mode is turned on for messages.
  11. Click Continue
  12. Click Action and choose an option:

    All actions are logged in Rule log events.

    • Block message—Don’t send the message right away, and display an alert to the sender about potentially sensitive information in the message. The sender has the option to edit the message and try sending again.
    • Warn users (not supported in beta)—Don't send the message right away, and display an alert to the sender. The sender has the option to send the message as is, or edit the message and try sending again.
    • Quarantine message—Don't send the message right away and display an alert to the sender. The sender has the option to send the message as is, or send the message for review by an admin or other qualified person.You must select an option from the  Quarantine condition menu.
    • Audit only—The message is sent normally. No alert is displayed. The message is scanned against rules, and logged as the event that an admin can review later.
    • Apply classification label—Apply a classification label to messages that match the conditions. You must select an option from the Label field and Field options menus. During beta, rules with this action are applied asynchronously only.
  13. For Select when this action should apply, choose whether the action should be applied to internal messages, external messages, or both. 
  14. (Optional) To create a custom alert, check the Customize message box and enter your alert text. Alerts can be up to 300 characters long (including characters in URLs) and can include URLs. If you don’t create a custom message, the box displays the default message.
  15. (Optional) In the Alerting menu, choose a severity level for reported message events: Low, Medium, or High. The severity level is logged in the Rule log events and can be used to investigate incidents.
  16. (Optional) To choose send an alert about about message events (a message triggered by this rule), check the Send to alert center box. You also send an alert notification to super admins with the All super administrators option. Enter other alert notification to other recipients .
  17. Click Continue and review the rule details. 
  18. Choose a status for the rule:
    • Active—The rule runs immediately.
    • Inactive—The rule is added but doesn't run immediately. This gives you time to review the rule and share it with others before implementing. To activate the rule later, in the Admin console, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, change the status to Active, and click Confirm
  19. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Investigate DLP rule events with the security investigation tool

Run a search for Rule log events

The following example runs a search to investigate Gmail messages that triggered a DLP rule. You can use other conditions in your search or no conditions at all.

  1. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  2. Click Data source and select Rule log events.
  3. Click Add Conditionand thenAttributeand thenRule type.
  4. Choose DLP.
  5. Click Search.
    From the search results at the bottom of the page, you can view a list of events, with details about each event.

    Note: Sensitive content snippets aren't supported for Gmail DLP (beta). As a result, the Has sensitive content column shows False even if a message contains sensitive content that has triggered a DLP rule.

  6. Scroll to the Resource ID column and click Menuto pivot from Gmail log events > Message ID.
  7. Click Search to open a new search page where Gmail log events is the data source.
  8. To view additional details, click Message ID for any line in the search results. A side panel displays additional details about your investigation.
  9. If prompted, enter the business need for viewing Gmail content and click Confirm.

Export DLP violations using BigQuery

You can export DLP violations logged in Rule log events to custom tables for further investigation. For details, go to Set up service log exports to BigQuery.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu