Set up rules for attachment compliance
As a G Suite administrator, you can set up compliance rules for message attachments, such as documents, video and sound files, images, and compressed files and archives. Rules specify conditions based on file type, file name, and message size. They also specify how to handle messages that meet the conditions.
For example, you can create rules to:
- Reject messages whose attachments cause them to exceed 20 MB.
- Detect whether the attachment is a video file, and if so, quarantine it for further inspection.
- Modify a message by stripping its attachments and adding an advisory notice to the message.
You can also set up a rule to detect whether an attached document is encrypted. This distinction can be useful if you need to send unencrypted copies of message attachments to an archive server for regulatory purposes.
How attachments are scanned
Gmail uses binary file-type detection to scan and identify the file type of non-executable attachments. In turn, any settings and rules you set up don't rely solely on the file extension when identifying matches. This helps prevent people from circumventing attachment rules by renaming extensions.
Gmail scans the file names of files inside archives, including encrypted archives and nested non-encrypted archives. However, the inner archives of an encrypted archive cannot be scanned.
When a message matches an attachment rule, you can:
- Reject it
- Quarantine it
- Deliver it with modifications
How settings are applied
Unless modified in the Options section, the setting applies to all users in an organizational unit. Users in child organizations inherit the settings you create for the parent organization. You can also add multiple attachment compliance settings to each organization.
Enhance message security with hosted S/MIME
You can enhance message security using advanced features for Secure/Multipurpose Internet Mail Extensions (S/MIME). For example, you can set up an attachment compliance policy that requires the use of S/MIME encryption for outgoing messages. You set this up with the Encryption option, described in step 3.For details, see Enhance message security with hosted S/MIME.
This feature is only available with G Suite Enterprise.
Set up an attachment compliance rule
Initial step: Go to Gmail advanced settings in the Google Admin console
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console dashboard, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
Scroll to the Attachment compliance setting in the Compliance section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
For each new setting, enter a unique description.
Go to the next step to configure the setting.
Step 1: Enter email messages to affect
Check the boxes next to the messages you want the rule to apply to.
Go to the next step to continue.
You can add up to 10 expressions, but you need to individually add and save them.
From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.
From the list, choose what you want to specify for the expression:
File type—Select the attachment types to include. You can also enter a custom file type to look for matches based on specific file types, such as .exe, .bat, and .cmd.
Note: For your protection, file types that are considered to be executables are automatically rejected. To see a complete list of extensions, see File types and extensions supported in expressions.
File name—Enter an attachment name that you want to include. Any part of an attachment file name is returned as a match, whether it's upper or lowercase.
Message size—Enter, in megabytes, the size limit for messages. The size includes the message body and all attachments.
Click Save. You might need to scroll to see it.
Go to the next step to continue.
Step 3: Specify what happens if expressions match
Specify whether to modify, reject, or quarantine a message when conditions are met. (Details below.)
Configure the options for the actions you choose.
(Optional) Click Show options to configure additional options to limit the application of this setting. See Configure additional parameters, below, for details.
Go to Save the configuration.
This option rejects the message before it reaches the intended recipient. You can enter customized text for the rejection notice.
For matching messages, no other routing or compliance rules will be applied. The message will simply be rejected.
Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is required by the email SMTP standard, so you can’t delete it.
This option sends the message to an admin quarantine, where you can review the message before deciding whether to send it to its intended recipient or reject it. Available for the Users account type only. See Account types to affect, below, for information on the account types.
You can modify messages by adding headers, removing attachments, changing the envelope recipient, adding more recipients (additional or secondary routes), and changing the route.
Note: We recommend that you use the routing settings for the specific use cases they are intended to support. For example, you can set up the same routing options by using an Attachment compliance setting or a Routing setting. Use an Attachment compliance setting for attachment-related use cases, and a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing, including use cases and examples.
Add X-Gm-Original-To header
Check this box to add a header tag if the recipient is changed. That way, the downstream server will know the original envelope recipient. An example of the header tag format is
Headers are useful if you're rerouting a copy of the message to another recipient. In this case, you're changing the recipient address, but the new recipient can still see the address of the original envelope recipient. They can see the original envelope recipient by checking the
X-Gm-Original-To header in the message.
Add X-Gm-Spam and X-GM-Phishy headers
Gmail messages are automatically filtered for spam and phishing. Check the Add X-Gm-Spam and X-Gm-Phishy headers box to add these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail.
X-Gm-Spam: 0indicates the message isn't spam.
X-Gm-Spam: 1indicates the message is spam.
X-Gm-Phishy: 0indicates the message is not phishing.
X-Gm-Phishy: 1indicates the message is phishing.
Any message marked phishy is automatically marked spam as well.
If you add X-Gm-Spam and X-Gm-Phishy headers to your messages, consider where the message is being routed to next. A rerouted message is often no longer classified as spam when it reaches its destination because elements of the message, such as the sending IP address, have changed.
If your messages are:
- Rerouted to your downstream server, set up rules on that server to read these headers and prevent messages with
X-Gm-Phishy: 1tags from being delivered to users’ inboxes.
- Rerouted back to Google, create an Inbound gateway setting to mark tagged messages as spam, or an Attachment compliance setting to send them to the Admin Quarantine for review.
Add custom headers
You can add one or more custom headers to messages that are affected by an Attachment compliance setting. For example, you can add a header that matches the description that you entered for the setting. Doing this can help you analyze why a message was routed in a certain way or a filter was triggered.
Prepend custom subject
You can enter a string to prepend to the subject of applicable messages. The word you enter will appear in brackets at the beginning of the subject. For example, you could enter Confidential in this field for sensitive emails, such as
[Confidential] Monthly report.
Change route and Also reroute spam
Change route—Changes the destination of the message. By default, the Gmail server is the primary delivery location. However, you can change it to route messages to a different mail server, such as Microsoft® Exchange.
Note: Before you can change the route, you need to add the route using the Hosts tab. After it's added, it'll appear in the Change route list.
Also reroute spam—Appears if you select Change route. Also reroute spam lets you route all email that matches the criteria of the setting, including messages marked as spam.
If you don't check the Also reroute spam box, then normal messages are rerouted, but spam messages aren't.
Whether or not you select Also reroute spam, blatant spam is not rerouted because it’s dropped instantly at delivery time.
If a message is classified as spam but one of the G Suite email settings overrides it (for example, due to a sender whitelist), then the message isn't considered to be spam for this purpose and it's routed as a normal message.
Change envelope recipient
You can change the envelope recipient in one of the following ways:
To replace the recipient’s entire email address, after Replace recipient, enter the full email address, such as email@example.com.
To replace just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
To replace just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
Changing the envelope recipient for a message on the primary address is equivalent to forwarding a message to a different recipient. The message bypasses the original recipient’s mailbox and is routed back to the internet for delivery to the new recipient. The “To” address remains the original recipient address, even though the envelope recipient is replaced.
The destination server is determined by an MX lookup on the new recipient's domain. Or, if you’re using the Change route control, the destination server determined by the specified route.
If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.
Bypass spam filter for this message
Check this box to deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies to incoming messages only—you can’t bypass spam filters for outgoing messages
Note: This option applies to the Users and Unrecognized / Catch-all account types, and not the Groups account type. See Account types to affect, below, for information on the account types.
Remove attachments from message
Check this box to remove any attachments from messages. Optionally, you can append text to notify recipients that attachments were removed.
Add more recipients
- Check the Add more recipients box and then click Add to set up dual delivery or multiple delivery.
- Select Basic from the list to add individual email addresses and then click Save. Click Add to add more addresses.
- Select Advanced from the list to choose advanced options for your secondary delivery. Similar to the settings for primary delivery, you can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries.
Any settings that you configure for the primary delivery also affect the secondary deliveries. For example, if you change the envelope recipient, prepend a custom subject, and add custom headers to the primary delivery, the same configuration is applied to the secondary deliveries. If you change the envelope recipient, the “To” address still remains the original recipient address.
For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default. If the message is spam, this option discards the copy of the message being sent to the additional recipient. Suppress bounces from this recipient prevents bounces from going back to the original sender.
Encryption (onward delivery only)
By default, Gmail always attempts to deliver messages using secure transport (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.
Check the Require secure transport (TLS) box to include secure delivery as part of content compliance for outbound messages. This requires all messages meeting the conditions in the setting (such as match expressions, account types, and envelope filters) to be transmitted via a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.
Check the Encrypt message if not encrypted (S/MIME) box to make sure that certain messages can’t be sent or unless they are S/MIME encrypted. This feature is only available with G Suite Enterprise.
Also check the Bounce message if unable to encrypt box to bounce messages that aren’t S/MIME encrypted.
Learn more about enhancing message security with hosted S/MIME.
Configure additional parameters (Optional)
Click Show options to configure additional options for the setting.
You can specify address lists as a criteria for whether to bypass or apply a given attachment compliance rule. These lists can contain email addresses, domains, or both.
To determine if the address list is matched, G Suite considers the "from" sender for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. (Details below.) If multiple lists are specified, the address must match at least one of the lists.
The options for whether to bypass or apply a given attachment compliance rule are:
- Bypass this setting for specific addresses / domains—Skips the setting entirely if the address list matches, regardless of any other criteria specified in the setting.
- Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the setting is applied. If there are other criteria in the setting, such as match expressions, account types, or envelope filters, those conditions must also match for the setting to be applied.
To create an address list:
In the Options section, check the Use address lists to bypass or control application of this setting box.
Select one of the options:
Bypass this setting for specific addresses / domains
Only apply this setting for specific addresses / domains
Click Use existing or create a new one.
Select the name of an existing list, or enter a custom name for a new list in the Create new list field, and then click Create.
Hover over the list name, and click Edit.
To add email addresses or domains to the list, click Add.
Enter a full email address or domain name, such as solarmora.com. Or, to add a list in bulk, enter a comma or space delimited list of addresses after clicking add.
Note: Check the Do not require sender authentication box to bypass the Content compliance setting for approved senders that do not have authentication, such as SPF or DKIM, enabled. Use this option with caution as it can potentially lead to spoofing.
To include additional email addresses or domains in the list, repeat steps 5 to 7.
When you're done, go to Account types to affect.
Account types to affect (Required)
To save the Attachment compliance setting, you must select at least one account type option, Users, Groups, or Unrecognized / Catch-all. The option specifies the account type that the setting applies to.
If you’re configuring the top-level organization, all 3 of these options are available. If you’re configuring any of the sub-level organizations, Users is the only option available.
If the action for this setting is to quarantine the message, only the Users account type is available.
The Groups account type is not applicable to the Add X-Gm-Spam header and X-Gm-Phishy header control. If the account type is Groups,
X-Gm-Spam: 0 and
X-Gm-Phishy: 0 are always applied. The Groups account type is also not applicable to the Bypass spam filter for this message control.
By default, Users is selected, because it's the most common use case. You can select more than one. For example, you can configure an inbound setting that only applies to the Groups account type, and the group must be the recipient. If you’re configuring an outbound setting, the account type must match the sender.
When you're done:
(Optional) Specify an envelope filter.
Go to Save the configuration.
You can choose to affect only specific envelope senders and recipients. You can specify single recipients by entering an email address for that user. You can also specify groups.
To set up an envelope filter, check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both. Then, from the list, select one of the following options:
Single email address—Specify a single user by entering an email address, such as firstname.lastname@example.org. The match is case insensitive.
Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to 3 specific users by entering the list of users using the following regular expression syntax:
- ^ matches the start of a new line
- (?i) makes the expression case insensitive
- $ matches the end of a line
Learn about using regular expressions.
Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, you'll need to create groups first.
When you're finished, go to Save the configuration.
Save the configuration
Final step: Add and save the setting
Click Add setting or Save. Any new settings are added to the Gmail Advanced settings page.
At the bottom, click Save.
This section lists the common file extensions, organized by file type, that you can use in an attachment compliance expression. If you don’t see the file type that you’re looking for, you can enter a custom file extension in the expression.
For your protection, file types that are considered to be executables are automatically rejected. Learn more about file types that are blocked.
.cpr, .cwk, .cws, .dcx, .doc, .docm, .docx, .dot, .dotm, .dotx, .fax, .fp, .fp3, .frm, .gim, .gix, .gna, .gnx, .gra, .mcw, .mdb, .mdn, .met, .mpp, .obd, .odg, .odp, .ods, .odt, .pdf, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pre, .prs, .rtf, .shb, .shw, .sldx, .sldm, .wb1, .wb2, .wdb, .wk1, .wk3, .wk4, .wks, .wp, .wpw, .wp4, .wp5, .wp6, .wpd, .wps, .wpt, .wq1, .wq2, .wri, .ws1, .ws2, .ws3, .ws4, .ws5, .ws6, .ws7, .wsd, .xlam, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx
Video and multimedia
.avi, .cfb, .cmv, .dir, .gal, .m3d, .mmm, .mov, .mpe, .mpeg, .mvb, .qt, .qtm, .xtp, .xy3, .xy4, .xyp, .xyw, .mpg, .wmv
Music and sound
.aif, .aiff, .ams, .cda, .dcr, .dsm, .idd, .it, .mdl, .med, .mid, .mp3, .mtm, .mod, .mus, .nsa, .ra, .ram, .rm, .rmi, .rtm, .snd, .stm, .svx, .s3m, .ult, .voc, .wav, .wow, .asf
.ai, .art, .att, .bmp, .cal, .cdr, .cdt, .cdx, .cmf, .cmp, .dib, .drw, .emf, .eps, .fh3, .fif, .fpx, .gem, .icb, .iff, .ima, .img, .jbf, .jff, .jif, .jtf, .kdc, .kfx, .lbm, .mac, .mic, .pbm, .pcd, .pcs, .pct, .pcx, .pgm, .pic, .pif, .pnt, .ppm, .ps, .psd, .ras, .raw, .sct, .sdr, .sdt, .sep, .shg, .tga, .tif, .tiff, .vda, .vst, .wil, .wmf, .wpg, .wvl, .html, .jpeg, .jpg, .gif, .png
Compressed and archive file formats
.7z, .ace, .bz, .bz2, .cab, .gz, .hex, .hqx, .lzh, .pages, .rar, .sea, .sit, .tar, .tgz, .uue, .zip, .zoo