Allow emails only with authorized addresses or domains

By default, your users can exchange email messages with any email address. However, in some cases, you might want to restrict the addresses or domains your users can exchange messages with. For example, a school might want to allow students to exchange messages with faculty members and other students, but not with people outside of the school.

Tip: To turn on bounce messages (messages that inform your users that they've sent email to a restricted address), add to your list of allowed senders. Bounce messages are sent from this address. 

When you restrict addresses or domains

  • Receiving—Users can receive messages only from authorized addresses or domains. Messages sent from unauthorized domains, or messages from domains that can't be verified using DKIM or SPF, are returned to the sender with a message about the restriction policy.
  • Sending—Users who send messages to an unauthorized domain get a bounce message explaining why their message was not sent.


  • To allow internal messages between users within your organization (the set of domains associated with your company or school), check the Bypass this setting for internal messages box. The set of domains for your organization includes parent domains and subdomains.
  • Email delivery restrictions apply to all users in the organizational unit. You can set up different restriction policies for different organizations.

Posting messages as a group

If you let users to post as a group, you should be aware that they could use this to bypass messaging restrictions applied to individuals.

Restricting chat messages

You can also restrict chat messages to users within your own domain. Learn more about external chat options.

Set up message restrictions

Initial step: Go to Gmail Compliance settings in the Admin console
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu ""and then"" Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. On the left, select an organization.
  4. Scroll to the Restrict delivery setting, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

    Important: This setting blocks notifications messages from Google services, for example Gmail messages about Google Docs comments. To prevent this, set up Gmail to bypass this setting for internal messages. 

  5. For each new setting, enter a unique name.

Go to the next step to configure the setting.

Step 1: Add addresses or domains that you want to allow

When you enter addresses or domain names, Gmail checks them against the "From:" part of the message header, not the envelope sender (or Return-Path section of the message header). Therefore, the "From:" sender must exactly match an address or domain you enter.

  1. Click Use existing or create a new one.
  2. Enter a new list name, and click Create.
    Tip: To use an existing list as your approved sender list, click the list name.
  3. Move your pointer over the name of the list, and then click Edit.
  4. Click Add "".
  5. Enter email addresses or domain names, using a space or a comma to separate multiple entries.

    • To bypass this setting for approved senders that don't have authentication, uncheck the Require sender authentication box. Use this option with caution because it can potentially lead to spoofing. Learn more about sender authentication.
    • To see a sender’s authentication configuration, use the Check MX tool, available at
  6. Click Save.

Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.

Step 2: (Optional) Create a customized rejection notice

You can enter a customized rejection notice, such as "Your email has been rejected because it violates organization policy."

Step 3: (Optional) Bypass this setting for internal messages

Check this box to bypass restrictions for email sent within your organization. The internal message must be authenticated (SPF/DKIM) for it to bypass the setting. Internal messages that aren't authenticated are rejected by this feature.

Final Step: Save changes
  1. Click Add setting or Save.

    New settings appear on the Gmail Compliance settings page.

  2. At the bottom, click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more

You can track changes in the Admin console audit log.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center