As an administrator, you can set up compliance rules for message attachments. You can apply rules to attachments such as documents, video and sound files, images, and compressed files and archives.
Create rules that specify how to handle messages that meet defined conditions. Conditions can be based on file type, file name, and message size.
The following actions can be taken on messages with attachments:
- Reject the message
- Quarantine the message and attachment for review
- Modify the delivery of the message and the attachment
You can also set up a rule to detect encrypted attachments. Detecting encrypted attachments is useful if you send unencrypted copies of message attachments to an archive server.
How attachments are scanned
Gmail can detect the file type for standard and custom file types. So, even if malicious senders rename the file extension, Gmail can still detect the file type.
Gmail scans the names of files inside archives, including encrypted and nested, non-encrypted archives.
Important: Gmail can't:
- Scan the inner archives of an encrypted archive.
- Open or inspect attachments that are password-protected files or archives.
- Open or inspect ZIP files that are password protected. Gmail can inspect ZIP file attachments that aren't password protected.
How settings are applied
Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization. You can also add multiple rules to each organization.
When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, read How multiple settings affect message behavior.
Enhance message security with hosted S/MIME
You can increase message security with S/MIME. For example, set up a rule that requires S/MIME encryption for outgoing messages. For an overview, go to Enhance message security with hosted S/MIME.
Set up an attachment compliance rule
Initial step: Go to Gmail Compliance settings in the Admin console
From the Admin console Home page, go to AppsGoogle WorkspaceGmailCompliance.
Note: You might find this setting at AppsGoogle WorkspaceGmailAdvanced Settings.
Scroll to the Attachment compliance setting, point at the setting, and click Configure. If the setting is already configured, click Edit or Add another.
For each new setting, enter a unique description.
Go to the next step to configure the setting.
Step 1: Enter email messages to affect
Check the boxes next to the messages you want the rule to apply to.
Go to the next step to continue.
You can add up to 10 expressions. Each expression must be individually added and saved.
From the list, specify whether any or all conditions must match to trigger what happens to the message. For example, if you select If ANY of the following match the message, any matching condition can trigger the consequence to the message.
From the list, choose what you want to specify for the expression:
File type—Select the attachment types to include. You can also enter a custom file type to find matches based on that file type.
Note: For your protection, file types that are detected to be executables are automatically rejected. For a complete list of extensions, go to File types and extensions supported in expressions.
File name—Enter an attachment name that you want to include. Any part of an attachment file name is returned as a match, whether it's upper or lowercase.
Message size—Enter the size limit for messages. The size is in megabytes. The size includes the message body and all attachments. This size limit applies to the raw size of the entire message. Because of the encoding overhead, the raw message size can be up to 33% larger than the base size of the message and attachments
Click Save. You might need to scroll to see it.
Go to the next step to continue.
Step 3: Specify what happens if expressions match
Specify whether to modify, reject, or quarantine a message when conditions are met. Read details below.
Configure the options for the actions you choose.
(Optional) Click Show options to configure additional options to limit the application of this setting. Go to Configure additional parameters below, for details.
Go to Save the configuration.
Rejects the message before reaching the recipient. You can enter a message to notify the sender about why the message was rejected. For matching messages, no other routing or compliance rules are applied.
Note: Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be deleted.
Sends the message to an admin quarantine where you can review the message before you send or reject it. This option is only available for the Users account type. For details, see Account types to affect.
To notify your users when their sent messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.
Add headers, remove attachments, change the envelope recipient, add more recipients, and change the route. For details, read Options for modifying messages.
Note: We recommend you use the routing settings for the use cases they're intended to support. Use an attachment compliance setting for attachment-related use cases. Use a Routing setting for general routing-related use cases, such as dual delivery. Learn about mail routing use cases and examples.
Add X-Gm-Original-To header
Add a header tag if the recipient is changed. When you do, the downstream server will know the original envelope recipient. An example of the header tag format is X-Gm-Original-To: email@example.com.
Add X-Gm-Spam and X-GM-Phishy headers
Add headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail. For details, see Add spam headers setting to all default routing rules.
Add custom headers
You can add custom headers to messages that are affected by this setting. For example, you can add a header that matches the description that you entered for the setting. This can help you analyze why a message was routed in a certain way or why a rule was triggered.
Add custom text to subject
You can enter a string to add to the beginning of the subject of applicable messages. For example, you could enter Confidential in this field for sensitive emails. If a message triggers the rule and its subject is Monthly report, recipients will see the following subject: [Confidential] Monthly report.
Change route and Also reroute spam
Change the route—You can change the destination of the message from the default Gmail server to a different mail server, such as Microsoft Exchange.
Note: Before you can change the route, you need to add the new route in the Admin console. For details, see Add mail routes for advanced Gmail delivery.
Also reroute spam—This option is available if you select Change the route. Blatant spam is dropped instantly at delivery time. However, check the Also reroute spam box to route any additional email you mark as spam.
Leaving the box unchecked has normal messages rerouted, but not spam. Admin console email settings (for example, a list of preauthorized senders) overrides spam settings.
- Suppress bounces from this recipient—Check this box to prevent bounced messages from being rerouted to the configured mail route. For example, you might want to prevent bounced messages from being rerouted to an automated system.
Leave this box unchecked if you want the receiving mail system to get bounced messages (for example, to let senders know when their message isn't delivered).
Change envelope recipient
The message bypasses the original recipient’s mailbox and goes to the new recipient.
You can change the envelope recipient in one of the following ways:
- Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as firstname.lastname@example.org.
- Replace username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
- Replace domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change the route control, the specified route determines the destination server.
If you'd rather Bcc an additional recipient, use the Add more recipients option, described below.
Bypass spam filter for this message
Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies only to incoming messages. You can’t bypass spam filters for outgoing messages.
Note: This option is not available for the Groups account type. For details, see Account types to affect.
Remove attachments from message
You can remove any attachments from messages. You can also append text to notify recipients that attachments were removed.
Add more recipients
- To set up dual or multiple delivery, check the Add more recipients boxclick Add .
- To add individual email addresses, select Basic from the listclick Save.
- (Optional) To add more addresses, click Add .
- (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.
You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries. Note: The Do not deliver spam to this recipient advanced option isn't supported for the Groups account type.
When you add recipients, consider that:
- Each rule has a limit of 100 additional recipients.
- Settings for the primary delivery also apply to the secondary deliveries.
- For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
- Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.
Encryption (onward delivery only)
By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection.
To require all messages meeting the conditions in the setting to be transmitted through a secure connection, check the Require secure transport (TLS) box. If TLS isn't available on the sending or receiving side, the message won't be sent.
If you have an Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.
Tip: We recommend that you test new rules to make sure they work correctly for your organization. For more information, see Best practices for faster rules testing.
Configure additional parameters (Optional)
To set up additional options for a routing policy, such as creating address lists or choosing the account types it will affect, at the bottom, click Show options.
You can specify address lists as a criteria for whether to bypass or apply a given setting. Address lists can contain email addresses, domains, or both. For address list matching:
- Incoming mail—Gmail checks the sender domain or email address against the address list.
- Outgoing mail—Gmail checks the recipient domain or email address against the address list.
There are two methods used to determine if the address list is matched. If multiple lists are specified, the address must match at least one of the lists:
- Correspondent (default): Google Workspace considers the "from" field for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. (Details below.).
- Recipient: Google Workspace always checks to see if the recipients are present in address lists.
The options for whether to bypass or apply a given setting are:
- Bypass this setting for specific addresses / domains—Skips the setting entirely if the address list matches, regardless of any other criteria specified in the setting.
- Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the setting is applied. If there are other criteria in the setting, such as match expressions, account types, or envelope filters, those conditions must also match for the setting to be applied.
To use address lists to control application of this setting:
- In the Options section, check the Use address lists to bypass or control application of this setting box.
Select one of the options:
- Bypass this setting for specific addresses / domains
- Only apply this setting for specific addresses / domains
- Click Use existing or create a new one.
- Select the name of an existing list, or, to create a new one, enter a custom name for a new list in the Create new list field, and then click Create.
Move the pointer over the list name, and click Edit.
To add email addresses or domains to the list, click Add .
Enter a full email address or domain name, such as solarmora.com. Or, to add a list in bulk, enter a comma or space delimited list of addresses after clicking Add .
Note: If you want to bypass this setting for approved senders that don't have authentication, uncheck the Require sender authentication box. Use this option with caution as it can potentially lead to spoofing. Learn more about sender authentication.
To include additional email addresses or domains in the list, repeat steps 5 to 7.
When you're done, go to Account types to affect.
Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.
Account types to affect (Required)
Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.
Select one or more account types that the setting applies to:
- Users (default)—The setting applies to provisioned users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
- Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
- Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned users. This selection only applies to received and inbound email.
Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:
- Add X-Gm-Spam and X-Gm-Phishy headers
- Bypass spam filter for this message
- Also reroute spam
When you're finished, go to Add and save the setting.
You can choose to affect only specific envelope senders and recipients. You can specify a single recipient, a number of users using a regular expression, or email groups.
To set up an envelope filter:
- Check one or both of these options:
- Only affect specific envelope senders
- Only affect specific envelope recipients
- From the list, choose an option:
- Single email address—Enter the complete email address for a user.
- Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:
For details, go to Guidelines for using regular expressions.
- Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, first create the group.
Note: This option affects both direct and indirect group members. For example, if Group B is a member of Group A, users in Group B are indirect members of Group A.
When you're finished, go to Save the configuration.
Save the configuration
Final step: Add and save the setting
- Click Add setting or Save.
New settings open on the Compliance settings page.
- At the bottom, click Save.
The table below defines common and custom file types you can use in an attachment compliance expression. For your protection, file types that are considered executables are automatically rejected. Learn more about blocked file types.
- Common file types. By default, all common file types are matched by file format and filename to identify the type of content and the attachment's extension. Examples include image/photo.jpg or document/letter.doc.
- Custom file types. By default, custom file types are matched only by filename, for example, photo.jpg or letter.doc. To match custom file types to file, format as well, check the Also match files based on file format box.
Note: Generally speaking, most formats get converted into text or html (including unknown formats). Content matches are then made against the resultant normalized data.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.