Add classification notes to outgoing messages

Add custom banners and footers to messages containing sensitive content

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, and Education Plus. Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

As a Google Workspace admin, you can create Data Loss Protection (DLP) rules to automatically add custom classification notes to outgoing Gmail messages. Classification notes are added to messages sent to external recipients or to recipients using non-Gmail email apps. The note can appear as a banner at the top of the message or as a footer beneath the message body and Gmail signature.

Classification notes include information about sensitive message content and guidance about how the recipient should handle messages based on your organization's data sharing and privacy policies. As an admin, you customize the text that appears in the note when you create the DLP rule.

For DLP security for internal Gmail users, we recommend using DLP rules with Gmail classification labels. Learn more at Prevent data leaks in email & attachments.

How classification notes are added to messages

DLP rules scan outgoing messages when they're sent. When message content activates a DLP rule with an Add custom note action, the classification note is added to the message when the message is sent.

You can create multiple DLP rules that add different classification notes to outgoing messages based on message content or other message attributes, for example the message subject or headers. If an email message activates more than one classification note rule, classification notes for all activated DLP rules are added to the message. For best performance, we recommend you follow DLP content and rule size limits.

Gmail DLP and content compliance footers

When a message activates both a DLP rule with an Add custom note action and an append footer content compliance setting, the DLP rule takes precedence and the classification note is added first. Then the content compliance rule footer is added. Recipients see all footers in the message. Learn more about the Append footer setting

Known limitations

Classification notes are added asynchronously, and the sender doesn't get a notification when a note is added. Synchronous application of classification notes isn't supported. Learn more about synchronous and asynchronous scanning

Add classification notes with a DLP rule

Take these steps to create a DLP rule that adds a custom classification note to outgoing messages that meet the rule conditions.

  1. In the Google Admin console, go to Menu and then Rulesand thenCreate ruleand thenData protection.

    Requires having the View and Manage DLP rule privileges.

  2. Enter the name and (optionally) a description for the rule.
  3. In the Apps section, select Gmail and then Message sent.
  4. Click Continue.
  5. In the Actions section, select Add custom note, then enter custom text:
    • Title—Optional. Header text for the footer that appears in bold above the main footer content. Can have up to 50 characters.
    • Body content—Text for the main header or footer content. Can have up to 300 characters, including any URL you add with Insert link.
    • Insert link—Optional. The link text as you want it to appear in the header or footer and the destination URL for the link.
    • Specify custom note location in emails—Select where you want the classification note to appear in messages: Top (header) or Bottom (footer). The default is footer.
    • Display as banner—Optional. Select this to add a color background to the footer.
  6. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
  7. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
  8. Click Continue.
  9. For Scope, choose an option:
    • To apply the rule to your whole organization, select All in domain.name.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

    If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

  10. To add a condition, click Add Condition and select the part of the message that is scanned:

    Important: If you create a DLP rule with no condition, the rule scans all parts of the message and applies the specified action to every Gmail message.

    • All content—Scans message header, subject, body, and attachments.
    • Body—Scans message body and attachments.
    • Email headers—Scans message header and subject. If the message is sent with Google Workspace Client-side encryption (CSE), only the content of the email headers (including subject) can be scanned.
    • Subject—Scans message subject only.
    • Classification labels—Scans classification labels applied to messages.
    • Confidential mode status—Scans whether confidential mode is turned on for messages.

  11. Choose What to scan for and select the options and attributes for your scan. For details about this field, visit About What to scan for options & attributes on the Prevent data leaks in email & attachments page.

  12. Click Continue and review the rule details.

  13. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenAccess and data controland thenData Protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.

  14. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Use the security investigation tool to view log events for auto-applied custom notes. Use Rule log events as the data source. For detailed steps, visit the Investigate DLP rule events using the security investigation tool section on the Prevent data leaks in email & attachments page.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.