Using address lists in Gmail settings

You can control the scope of a Gmail setting by using it in conjunction with an address list of specific email addresses or domains. Use an address list when you want to exempt certain addresses or domains from a setting, or to apply the setting only to messages from (or to) those addresses or domains.

Gmail settings that can use address lists include Spam, Blocked senders, Restrict delivery, Content compliance, Objectionable contentAttachment compliance, Secure transport (TLS) compliance, and Routing.

Once you’ve set up an address list, it’s available for use in all these settings (except for blocked senders lists, which are only available in the Blocked senders setting). You can also create different lists for different settings.

Address lists can include email addresses (user@company.com) and entire domains (company.com).

Create and manage address lists

Create or use an existing address list
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. (Optional) On the left, select an organization.
  4. On the Gmail and then Advanced settings page, point to a setting and click Edit.
  5. Click Use existing or create a new one.
  6. Under Create new list, enter a name for the list, then click Create.

    The new list is added, with ‘0’ next to it showing it’s currently empty.

  7. To use an existing list, click the list name.

  8. Point to the new list, then click Edit.
  9. Proceed to add, edit or delete addresses.
  10. Click Save.
Add, edit, or delete addresses
  1. Navigate to the address list you want to edit:
    1. On the Gmail and then Advanced settings page, point to a setting and click Edit.
    2. In the Edit setting dialog, locate the address list you want to edit.
      Note: For some Gmail settings, you need to click Show options to display the address list.

    3. Point to the address list, then click Edit.
  2. Do one of the following:
    • To add an address, click Add Add, enter one or more addresses or domain names, separated by a comma or space. Click Save.

      Note:To determine if the address list is matched, G Suite considers the "from" sender (not the "Return-Path") for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked (details below). If multiple lists are specified, the address must match at least one of the lists.
       
    • To edit or delete an address, point to the address, then click Edit or Delete.
  3. (Optional) Change the Require sender authentication setting if necessary. This option is turned on by default for each address or domain. This is recommended because turning authentication off can lead to spoofing. For more information, see How authentication protects your domain below.
  4. Click Save to save changes to the address list.

Notes:

  • After you save changes, any new or modified addresses are inserted into the list and sorted in alphabetical order, with domains before users. 
  • Addresses are de-duped (identical addresses with different authentication requirements are considered unique).
Change the address list in use, or use multiple lists

You can switch between address lists, or use multiple lists at the same time. Approved address lists can be reused across settings.

  1. On the Gmail and then Advanced settings page, point to a setting and click Edit.
  2. In the Edit setting dialog, locate the address list you want to change.

    Note: For some Gmail settings, you need to click Show options to display the address list.

  3. Do one of the following:
    • To stop using a list, point to the list name and click Don’t use.
    • To use another list, click Use existing or create a new one, then locate the list you want under Available lists and click Use.

Important: If you reuse a list across multiple settings, keep in mind that any edit you make to the list in one setting affects all the other settings where the list is used.

Search an address list

Use the Search feature to locate one or more addresses in a lengthy address list.

  1. Point to the Gmail setting whose address list you want to search, then click Edit.
  2. In the Edit setting dialog box, hover over the address list and click Edit.
  3. Click Search Searchat the top of the address list to open the search field.
  4. Enter all or part of an email address or domain. The address/domain list is filtered to show only results that match your search query.
  5. (Optional) To clear your search query, click the "X" icon.

  6. (Optional) To close the search box, click anywhere on the page outside the box after clearing your search query.

You can still add, edit, or delete entries when you have a search query in the search box. But any changes that don't match the search term won't appear until the search term is cleared.

Note: Search looks for addresses and domain names that contain your search text. For example, searching for 'bert' returns results for 'Bert,' 'Bertrand,' and 'Roberta.'  Differences in capitalization are ignored.

View all addresses in a list

In edit mode, the address list shows 10 addresses/domains at a time, and you scroll through additional pages to view the next set of addresses or domains. Use View all mode to see the entire contents of an address list in one table.

You can’t edit the address list in View all mode, but you can copy and paste the contents to another program, such as a spreadsheet or text editor.

  1. Point to the Gmail setting whose address list you want to search, then click Edit.
  2. In the Edit setting dialog box, point to the address list and click Edit.
  3. Click View all at lower right of the address list.
    All list contents are shown, with domains listed first, then email addresses.

    Tips:
    • You can use the scroll bar to see all the entries if the list is large.
    • You can click the Address and Authentication columns (where relevant) to change the sort order in the view.
  4. To return the address list to edit mode, click Edit at the top of the address list.

How address list matching works

There are several things to keep in mind about how Gmail determines whether a given sender or recipient matches a configured address list. The following are some commonly asked questions.

Does address list matching apply to the sender or recipients?

  • For received mail (when your domain is the recipient), Gmail checks the sender against the address list.
  • For sent mail (when your domain is the sender), Gmail checks the recipients.

Some settings only apply address list matching to received mail (Spam, Blocked senders). Others apply address lists to both received and sent mail (Restrict delivery). Still others provide a choice whether to apply them to received mail, sent mail or both (such as compliance and routing rules).

How does Gmail check senders?

For mail received by your domain, Gmail checks if the “From:” sender address (not the “Return-Path:”) matches any addresses or domains in the address list(s). In addition, if the authentication requirement is turned on, Gmail checks if the sender is authenticated. Learn more about sender authentication.

Notes:

  • The “From:” sender typically appears as the sender address in your email inbox; the “Return path:” sender is only visible in the message header.
  • If you are tracking message delivery using Email Log Search, keep in mind that the tool displays the “Return-path:” sender, while address list matching is based on the “From:” sender (these two senders may not always be the same).

How does Gmail check recipients?

For mail sent by your domain, Gmail checks if the recipient of the message (in the “To:”, “Cc:” or “Bcc:”) matches any addresses or domains in the address list(s).

Gmail checks each recipient independently; if a given recipient matches, the rule applies to the copy of the message destined for that recipient. For example, if a “Secure transport” setting includes “foo@baz.com” in the address list but not “bar@baz.com", only the copy destined for “foo@baz.com” will require TLS.

Note: The sender authentication requirement is ignored when checking recipients.

What happens if I add my own domain to the address list?

Address lists only apply to communication with external domains—in other words, “Inbound” and “Outbound,” but not “Internal - Sending” or “Internal - Receiving.”

Why was an unlisted address considered a match?

Sometimes, Gmail considers an address a match even if it’s not in an address list. This is because Gmail standardizes addresses prior to comparison. During this process:

  • Dots and plus addressing in usernames are removed.
  • Subdomains are stripped from address names.
  • Addresses are converted to lowercase.

For example, this means that foo@baz.com, f.o.o.@baz.com, foo+bar@baz.com, foo@bar.baz.com, and FoO@bAZ.cOm are all considered matches of each other.

Furthermore, as long as there’s a match within any list configured in the setting, the address is considered a match. For example, if foo@bar.com sends an unauthenticated message, and the address list contains “bar.com” requiring authentication (which is not a match) and “foo@bar.com” not requiring authentication (which is a match), the address is considered a match. If there are multiple lists used in the setting, the address is considered a match if there’s a match in any of the lists.

How sender authentication protects your domain

By default, sender authentication is turned on for any new entries on an address list. Sender authentication protects you from spoofed email; that is, email that appears to be from a valid sender but really isn’t. 

Without sender authentication, Gmail has no way of knowing if the message was really sent by the person it claims to have come from. Because of this, a sender is only considered to match your address list if their mail is authenticated.

The sender authentication requirement only applies to mail received by your domain, and is ignored when mail sent by your domain is checked. You can remove this requirement by turning off sender authentication for an address or domain.

Caution: We strongly recommend that you not turn off sender authentication.

Turn sender authentication on or off for an address or domain

Sender authentication is turned on by default for any new entries on an address list.

To update the authentication requirement for a sender:

  1. Navigate to the address list you want to edit:
    1. On the Gmail Advanced settings page, point to a setting and click Edit.
    2. In the Edit setting dialog, locate the address list you want to edit.
      Note: For some Gmail settings, you need to click Show options to display the address list.
    3. Point to the address list, then click Edit.
  2. Point to an address, than click Edit
  3. Check or uncheck Sender authentication.

    Caution: We strongly recommend that you not turn off sender authentication.
How sender authentication is determined

To determine if a sender’s message is authenticated, Gmail checks if at least one of the following conditions is met:

  • The message passes SPF and the “From:” sender matches the “Return-path:” sender.
  • The message has a valid DKIM signature, and the domain in that signature matches the “From:” sender.

In other words, the message must conform to requirements similar to the DMARC standard.

Notes:

  • The “From:” sender typically appears as the sender address in your email inbox; the “Return path:” sender is only visible in the message header.
  • Subdomains are considered matches to parent domains. For example, foo@bar.baz.com is considered a match of foo@baz.com.
What if I really need to turn off sender authentication?

Sometimes, mail from a trusted sender isn’t sent with proper authentication. If messages from that sender occasionally land in your spam folder, you might be tempted to add the sender to your approved senders list in the Spam setting and turn off the authentication requirement. Here are some safer alternatives:

  • Contact the sender to see if they can address their authentication issues.
  • If only a small subset of messages are sent without authentication, consider creating a Content compliance rule to match those specific messages. In a Content compliance rule, you can select to “Bypass spam filter for this message” and “Only apply this setting for specific addresses or domains.”

Caution: To protect your domain, we strongly discourage turning off the sender authentication requirement under any circumstances.

Was this article helpful?
How can we improve it?