As an admin, you can configure advanced Gmail settings for your organization. For example, you can:
- Set up sophisticated filters and allowlist IP addresses where you expect to receive legitimate mail.
- Specify where inbound messages are delivered.
- Route messages to a catch-all address or another server, or for archiving, filtering, and monitoring.
- Allow users to send outbound messages with a different from address.
You can create conditional settings as well. For example, you can reject messages or attachments that exceed 20 MB. Or reroute messages that contain certain words, or that are sent from a certain address.
Who settings apply to
Some settings always apply to everyone, for example changing the address where your users access Gmail. Other settings can be applied to specific groups of users. Apply a setting to a group of users by adding the users to an organizational unit.
Learn more about the organization structure and how to tailor settings for groups of users.
Best practices for faster rules testing
When creating advanced settings and rules, you usually have to change and test them several times to make sure they work as expected. To minimize the time needed to test settings and rules, follow our recommendations in Best practices for faster rules testing.
How to do it
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console home page, go to one of these pages:
AppsGoogle WorkspaceGmailSpam, phishing and malware
(Optional) On the left, select an organization.
Configure any settings.
At the bottom, click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more
These controls are available for settings:
- Configure—Use this control if you haven't configured the setting yet.
- View—Use this control to check the configuration of an inherited setting. To change an inherited setting’s configuration, click Add Another.
- Edit—Use this control to change to the setting’s configuration. Available for locally applied settings only.
- Disable or Enable—Use this control to turn a setting on or off. Turning off a setting doesn't impact the options you configured. For example, you can temporarily turn off a setting if the results aren't as expected. You can then change the setting and turn it back on. You can also make a copy of a setting, turn it off it, change it, and then compare the different results. Available for inherited and locally applied settings.
- Delete—Use this control to turn off the setting and delete its configuration. To turn it back on, click Configure. For example, you might want to clear your blocked senders list and start over. Available for locally applied settings only.
- Add Another—Use this control to add more options for a setting. For example, you could add a rule to trigger an action when a certain condition is met. Available for inherited and locally applied settings.
Some settings let you configure conditional actions. These settings include:
- Add more recipients—The message is also delivered to these recipients.
- Add X-Gm-Original-To header, Add X-Gm-Spam header and X-Gm-Phishy header, and Add custom headers—Add custom message headers, which can be helpful. For example, if your mail is routed to a downstream server, you can configure that server to process messages based on the headers. This is typically used to route spam-tagged messages to spam.
- Bypass spam filter for this message—Messages that match the conditions of the setting and are identified as spam are delivered to the intended recipient.
- Change envelope recipient—Change where the message is delivered. When used with Add more recipients, it implements the Bcc feature. If not, it forwards the message.
- Change route—Change where the message is routed. For example, users with third-party email accounts can have their messages routed to an on-premise mail server.
- Prepend custom subject—Change the subject header to include prefix text.
- Reject message—The message isn't delivered.
- Remove attachments from message—Attachments are removed before the message is delivered to the intended recipient.
- Require secure transport for onward delivery—Outbound messages require secure delivery.
Learn about each setting
These settings apply to all organizations and can only be configured and edited at the top-level organization.
- Web address—Change the URL for your users' Gmail sign-in page.
- MX records—View your MX records and use the Gmail setup wizard.
- User email uploads—Allow users to import mail and contacts from other webmail or POP3 accounts.
- Uninstall service—Turn off Gmail for your organization. For more information, go to Turn Gmail on and off for your users.
These settings are located at AppsGoogle WorkspaceGmailEnd User Access.
- POP and IMAP access—Turn POP and IMAP access on or off for users.
- Google Workspace Sync—Turn on Google Workspace Sync for Microsoft Outlook.
- Automatic forwarding—Prevent users from automatically forwarding incoming messages to another address.
- Image URL proxy whitelist—Create and maintain an allowlist of internal URLs that bypasses proxy protection. Can only be configured at the top-level organization and applies to all organizations.
- Gmail Offline Chrome plugin —Turn on Gmail Offline for users.
- Allow per-user outbound gateways—Allow your users to send mail through an external SMTP server.
- Unintended external reply warning—Warn users when they reply to a message with external recipients not in their contacts.
- Email whitelist—Create a list of IP addresses that send legitimate mail. Mail sent from these IP addresses should not be marked as spam. Can only be configured at the top-level organization and applies to all organizations.
- Inbound gateway—Specify the IP addresses of your mail servers that are forwarding email to Gmail. Can only be configured at the top-level organization and applies to all organizations.
- Spam—Create a list of approved email addresses or domains that send legitimate mail. You can also route spam messages to an administrative quarantine.
- Blocked senders—Block senders based on email address or domain.
- Email and chat auto-deletion—Manage the amount of email that's stored for each user. Applies only to the top-level organization.
- Append footer—Use footer text on messages for legal compliance or other requirements.
- Content compliance—Specify how messages are managed based on predefined words, phrases, text patterns, or numerical patterns.
- Comprehensive mail storage—Ensure that all messages are stored in users' Gmail mailboxes. This includes messages sent or received by non-Gmail mailboxes and SMTP relay. Configure this setting when you're using Vault with a non-Gmail mailbox. You can also use this setting to capture all sent messages, including calendar invites and sharing notifications.
- Restrict delivery—Restrict the email addresses or domains that users can exchange mail with.
- Objectionable content—Specify how messages are managed based on word lists that you create.
- Attachment compliance—Specify how messages with attachments are managed.
- Secure transport (TLS) compliance—Require mail to be transmitted via a secure connection for specific domains and email addresses.
Before you configure any controls, read our guidelines and best practices for email routing and delivery. Learn more about your routing options below.
- Outbound gateway—Set a server that all messages from your domain go through. Can only be configured at the top-level organization and applies to all organizations.
- Routing—Specify mail routing and delivery controls for your domain.
- Email forwarding using recipient address map—Apply one-to-one mapping (aliases) to recipient addresses on messages received by your domain. Can only be configured at the top-level organization and applies to all organizations.
- Receiving routing—Set up inbound and internal-receiving delivery options, such as dual delivery and split delivery.
- Sending routing—Set up outbound and internal-sending delivery options.
- Inbound email journal acceptance in Vault—Specify an email address in your domain that receives your Microsoft Exchange journal messages. Can only be configured at the top-level organization and applies to all organizations.
- Non-Gmail mailbox—If you use a non-Gmail mail server, you can reroute messages to your users’ non-Gmail account.
- SMTP relay service—If have non-Gmail servers that send mail, use this setting to route messages through Gmail for storage or more filtering. Can only be configured at the top-level organization and applies to all organizations.
- Alternate secure route—Set an alternate secure route when Transport Layer Security (TLS) is required. Can only be configured at the top-level organization and applies to all organizations.
How multiple settings affect message behavior
You can create configurations with multiple settings. This can impact message behavior and how the settings are applied.
Settings can sometimes cause a conflict with delivery. For example, should a message be rejected or delivered twice? What happens depends on the conditions you set and which setting has precedence.
When you create multiple configurations or settings, there's usually no impact on how a message behaves. Gmail simply applies all settings to the message. One setting usually doesn’t take precedence over another.
For example, there's no conflict if:
You create an Append footer setting and a Content compliance setting. Gmail applies both actions to the message.
You set up two configurations with the Add more recipients consequence. Gmail adds all recipients.
However, there are exceptions to how messages behave when different settings have multiple consequences. This can cause settings to conflict.
When two consequences conflict, Gmail applies only one of the consequences. Non-conflicting consequences are always applied.
- A content compliance setting applies a change route consequence that reroutes messages to host1.com and adds a X-gm-spam header.
- An objectionable content setting applies a change route consequence that reroutes messages to host2.com and also prepends a custom subject.
In this example, the change route consequences are conflicting because Gmail can only select one route. So only one change route is selected, and the other non-conflicting consequences are applied: X-gm-spam header and custom subject.
In general, all settings are evaluated independently of each other. The settings consequences are compiled, and then any conflicts are resolved. The consequence of one setting can’t be used to trigger another setting.
Multiple reroutes or change in recipient
A conflict occurs when two settings attempt to change the primary route, or change the primary envelope recipient. When there's a conflict, Gmail determines which action to apply using this criteria:
- Specificity—The more specific settings takes precedence. For example, locally applied settings take precedence over inherited ones. All organization-specific settings take precedence over default routing.
- Creation date—For settings of the same specificity, older settings take precedence over newer ones. Visually, any setting that’s higher on the Advanced settings page in the Admin console has a higher priority when there's a conflict.
If any triggered rule causes a rejection, the message is rejected and no other rules are applied. When multiple settings trigger rejections with different rejection responses, then only one response is used.
Any setting can specify a list of approved senders to bypass the actions if there’s a match. Senders lists can be shared between settings. For example, the Spam setting lets you create an approved sender list to bypass the spam folder. This same approved sender list can be used to bypass a Content compliance setting.
The SMTP relay setting specifies which email and IP addresses can use the Google SMTP Relay service. It also specifies if SMTP authentication is required. If multiple SMTP relay settings are configured, the SMTP relay service:
- Accepts the message if any of the settings permit it.
- Refuses the message if none of the settings permit it.
There are a few cases where Gmail gives precedence to one setting over another. In this case, Gmail applies both settings, but one is applied first.
The ordering precedence depends on where the setting is in the organizational unit structure. Actions in a child organization take precedence over parent organization actions.
If two settings have different add footer actions, both footers are added. The ordering of the footers depends on the location of the setting in the organization structure. Settings in a child organization take precedence over parent organization settings.
If two settings result in different prepend custom subject actions, both prefixes are added. The ordering of the prepended subjects depends on the location of the setting in the organization structure. Settings in a child organization take precedence over parent organization settings.
Order of evaluation and consequence
Gmail evaluates messages and determines consequences in the following order:
Gmail evaluates the message against all policies independently and compiles any matching consequences into a consequence list.
Gmail evaluates the consequence list. If there are any reject consequences, Gmail rejects the message and ignores the other consequences.
If the message isn't rejected, Gmail checks the consequence list for any conflicts. Matching conflicts are compiled in a conflicts list. Conflicts only arise if:
Multiple consequences would change the primary route. There's a change route consequence that’s not a subconsequence of an Add more recipients setting.
Multiple consequences would change the primary envelope recipient. There's a change envelope recipient consequence that’s not a subconsequence of an Add more recipients setting.
Gmail evaluates the conflicts list to determine which of the conflicting consequences to apply. Settings are applied using this criteria:
Specificity—Locally applied settings take precedence over inherited ones. Organization-specific settings take precedence over the default route.
- Creation date—Older settings take precedence over newer ones. Any setting that appears higher on the settings page has a higher priority when there's a conflict. This ordering only applies to rules within a settings section, for example within Routing. There's no strictly defined ordering of conflicting rules between different sections.
Note: We don't recommend relying on rule creation date as the way to resolve conflicts between rules. Ideally, rules should be created to stand on their own without relying on a specific ordering.
Gmail applies the consequences to the message, and applies any non-conflicting consequences from all settings.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.