By default, your users can exchange email messages with any email address. However, in some cases, you might want to restrict the addresses or domains your users can exchange messages with. For example, a school might want to allow students to exchange messages with faculty members and other students, but not with people outside of the school.
Tip: To turn on bounce messages (messages that inform your users that they've sent email to a restricted address), add email@example.com to your list of allowed senders. Bounce messages are sent from this address.
When you restrict addresses or domains
- Receiving—Users can receive messages only from authorized addresses or domains. Messages sent from unauthorized domains, or messages from domains that can't be verified using DKIM or SPF, are returned to the sender with a message about the restriction policy.
- Sending—Users who send messages to an unauthorized domain get a bounce message explaining why their message was not sent.
- To allow internal messages between users within your organization (the set of domains associated with your company or school), check the Bypass this setting for internal messages box. The set of domains for your organization includes parent domains and subdomains.
- Email delivery restrictions apply to all users in the organizational unit. You can set up different restriction policies for different organizations.
Posting messages as a group
If you let users to post as a group, you should be aware that they could use this to bypass messaging restrictions applied to individuals.
Restricting chat messages
You can also restrict chat messages to users within your own domain. Learn more about external chat options.
Set up message restrictionsInitial step: Go to Gmail Compliance settings in the Admin console
In the Admin console, go to Menu AppsGoogle WorkspaceGmailCompliance.
- On the left, select an organization.
Scroll to the Restrict delivery setting, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.
Important: This setting blocks notifications messages from Google services, for example Gmail messages about Google Docs comments. To prevent this, set up Gmail to bypass this setting for internal messages.
For each new setting, enter a unique name.
Go to the next step to configure the setting.
When you enter addresses or domain names, Gmail checks them against the "From:" part of the message header, not the envelope sender (or Return-Path section of the message header). Therefore, the "From:" sender must exactly match an address or domain you enter.
- Click Use existing or create a new one.
- Enter a new list name, and click Create.
Tip: To use an existing list as your approved sender list, click the list name.
- Move your pointer over the name of the list, and then click Edit.
- Click Add .
- Enter email addresses or domain names, using a space or a comma to separate multiple entries.
- To bypass this setting for approved senders that don't have authentication, uncheck the Require sender authentication box. Use this option with caution because it can potentially lead to spoofing. Learn more about sender authentication.
- To see a sender’s authentication configuration, use the Check MX tool, available at https://toolbox.googleapps.com/apps/main/.
- Click Save.
Learn more about address lists, including how to search, or view all entries in the list, and how addresses are matched against the address lists.
You can enter a customized rejection notice, such as "Your email has been rejected because it violates organization policy."
Check this box to bypass restrictions for email sent within your organization. The internal message must be authenticated (SPF/DKIM) for it to bypass the setting. Internal messages that aren't authenticated are rejected by this feature.
- Click Add setting or Save.
New settings appear on the Gmail Compliance settings page.
- At the bottom, click Save.
It can take up to 24 hours for changes to take effect. You can track changes in the Admin console audit log.