Overview: Choose Gmail content filtering and data protection options

If you're looking for instructions and guidelines related to legal, security, and compliance concerns, go to Google Workspace legal and compliance.

Google Workspace offers many options to meet your organization's compliance and regulatory requirements, and to protect your sensitive data.

Start here to find the policies that work best for your organization.

Footer and confidential mode 

Add a standard footer to users' outbound messages

Add a standard footer to all your users' outgoing messages.

Examples: For legal compliance, branding, informational requirements, or promotions.

Learn how
Protect Gmail messages with confidential mode

Enable or disable your users' ability to send or receive messages in confidential mode. When this mode is enabled, users can prevent recipients from sharing (forwarding, printing, and so on) a message containing sensitive information.

Learn how

Message storage policies

Control email and chat storage

Control the amount of email and chat messages stored for users in your organization.

Also specify how to archive or delete messages when their storage periods expire.

Learn how
Set up comprehensive mail storage

Ensure that copies of all messages your users send or receive are stored in users’ Gmail mailboxes.

Useful for:

  • Organizations that use Vault
  • If you reroute messages to non-Gmail email servers
  • If you use an SMTP relay service with a non-Gmail system
Learn how

Recipient policies and controls

Set up external recipient notifications

Remind users when they email recipients outside your organization who they don't email regularly, or who aren't listed in their Contacts. 

Example: To protect your users from unintentionally sharing information externally.

Learn how
Allow emails only with authorized addresses or domains

Allow users to exchange messages only with specific addresses or domains that you authorize.

Example: A school might want to allow students to exchange messages with faculty members and other students, but not with people outside of the school.

Learn how
Block emails between specific users or groups

Prevent emails between users in specific organizational units. 

Example: A school district might want to prevent elementary school students from receiving email from high school students. 

Learn how
Enforce an "IP lock" in Google Workspace

Allow users to receive mail only from an IP address or range of addresses that you specify. By manually defining allowed IP ranges, you simultaneously allow all incoming traffic from a particular domain, and prevent spoofing from other domains.

Example: An IP lock is particularly useful with domains that don't have a Sender Policy Framework (SPF) record, or that use third party applications to send mail on behalf of the domain.

Learn how

Content filtering with rules

Set up rules for advanced email content filtering

Set up rules for how to handle messages containing specific content or expressions.      


  • Reject outbound messages that contains the word “confidential.”
  • Quarantine messages from IP addresses outside of a specified range.
  • Route messages containing specific text strings or patterns to your legal department.
Learn how
Set up rules for objectionable content

Set up rules to determine whether messages containing certain words are rejected, quarantined, or delivered with modifications.


  • Reject outbound messages that contains the word “confidential.”
  • Quarantine a message that has an objectionable word.
  • Notify others when a message has an objectionable word.
Learn how
Set up rules for basic email content filtering

Set up rules for how to handle message attachments such as documents, video and sound files, images, and compressed files and archives.


  • Reject messages containing harmful file types.
  • Quarantine a message with a potentially harmful attachment, for review.
  • Detect encrypted attachments, which is useful if you need to send unencrypted copies of message attachments to an archive server for regulatory purposes.
Learn how
Set up rules to detect harmful attachments

Have Gmail scan or run attachments in a virtual environment called the Security Sandbox. Attachments identified as threats can then be placed in users' Spam folders or quarantined.

Use case: Protects against malicious software that might be missed by antivirus programs

Learn how
Use optical character recognition (OCR) to read images

Extract text from image attachments to then apply rules for content compliance or objectionable content. Extracts text from GIF, JPG, PNG, and TIFF images.

Example: Set up a content compliance rule to quarantine messages containing credit card numbers. Then turn on OCR to detect and quarantine a PNG image attachment of an invoice containing a credit card number. 

Learn how
Scan your email traffic using DLP rules

Scan inbound or outbound emails for sensitive data using predefined content detectors. Then automatically quarantine, reject, or modify a message, based on its content.

Examples: Predefined content detectors exist for a range of numerical data types, including Social Security numbers, country-specific drivers license or passport numbers, credit card numbers, and many more.  

Learn how

Message transmission and encryption

Require mail to be transmitted via a secure TLS connection

Require email to and from specific domains or email addresses to be transmitted using Transport Layer Security (TLS). TLS is a security protocol that encrypts email to protect its privacy.

Learn how
Set up rules to require S/MIME signature and encryption

Set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME.

Examples: Users can intentionally turn encryption off, but you can set up a rule that overrides this action. You can also set up rules that ensure messages are encrypted when certain patterns are detected, such as credit card numbers.

Learn how
Use Google Workspace certificates for secure transport (TLS)
Use Transport Layer Security (TLS) certificates to encrypt your users' mail for secure inbound and outbound delivery. Learn how
Increase email security wit MTA-STS and TLS reporting

Turn on MTA Strict Transport Security (MTA-STS) to require authentication checks and encryption for email sent to your domain.

Use Transport Layer Security (TLS) reporting to get information about external server connections.

Learn how
Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center