Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, and Education Plus. Compare your edition
Using data loss prevention (DLP) for Gmail, you can create data protection rules to manage sensitive content that your users share in email messages. With DLP for Gmail, rules are applied to messages sent to or received from people inside and outside of your organization.
How does DLP for Gmail work?
When a user sends or receives an email message, DLP scans the message for sensitive content. If a message or attachment violates a rule, the action defined in the rule is applied to the message.
DLP for Gmail flow
- Add data protection rules that define sensitive content and the action to take on messages with sensitive content.
- When a user sends or receives an email message, DLP scans the content for rule matching.
- If a rule is matched, DLP applies the action defined in the rule.
- All events are logged in Rule log events for review.
Supported attachment file types
Data protection rules scan the following attachment types:
- Document file types—TXT, DOC, DOCX, RTF, HTML, XHTML, XML, PDF, PPT, PPTX, ODP, ODS, ODT, XLS, XLSX, PS, CSS, CSV, JSON, SH
- Image file types (when OCR is turned on)—EPS, BMP, GIF, JPEG, PNG, and images inside PDF files
- Compressed file types—BZIP, RAR, TAR, ZIP
- Custom file types—HWP, KML, KMZ, SDC, SDD, SDW, SXC, SXI, SXW, WML, XPS
Multiple attachments
If a message has more than one attachment, the rule is triggered if any of the attachments matches the rule condition. This can sometimes lead to rules that include the NOT condition having unexpected results. For example, If the condition NOT(content contains SSN) is used and one of the attachments contains SSN, the condition is true, and the rule won't be triggered.
Understand triggers
Before defining what content your rule should look for, you specify the trigger that initiates the scanning process. With DLP for Gmail, the triggers are:
- Message sent—Outgoing messages and attachments are scanned.
- Message received—Incoming messages and attachments are scanned.
Understand DLP actions
When sensitive content is found, your rule can enforce the actions listed in the following table.If you have similar rules with different response actions, the stricter action prevails. For example, if one rule warns users when a Social Security number (SSN) is found and another rule blocks the user from using SSNs, the block rule is triggered, and the user can't send or receive the email.
If you select Message received as the trigger, the only actions available are Audit only and Apply classification labels.
| Action | Description |
|---|---|
| Block message |
Outgoing messages only. Blocks the delivery of email messages and sends the user a notification. Optionally, you can add a custom message for users. The event is logged. |
| Warn users |
Outgoing messages only. Allows the user to proceed after a warning message. Optionally, you can add a custom warning message for users. The user's choice to proceed is recorded in the log events. |
| Quarantine message |
Outgoing messages only. Places messages in quarantine for an admin to review before they are sent or returned. Optionally, you can apply quarantine conditions or add a custom message for users. For details, go to Set up email quarantine. |
| Audit only |
Allows the user to proceed without interruption and logs the event. You can choose to audit messages from external senders, internal senders, or both. |
| Apply classification labels |
Applies an existing classification label to matching email messages. Only badged labels and standard labels with Options list field type are supported. You can choose to apply classification labels on messages from external senders, internal senders, or both. A data protection rule can't have a classification label as both a condition and an action. For details, go to Gmail DLP & automatic classification labels. |
| Add custom note |
Outgoing messages only. Adds a custom header or footer to matching email messages. For details, go to Add classification notes to outgoing messages. |
Understand DLP conditions
When you create a data protection rule, you can specify conditions that define what content or activity to scan for.
You can use predefined data types or create your own custom content detectors.
You can also combine multiple conditions using AND, OR, or NOT operators.
For details, go to How to use predefined content detectors, Create a custom detector, and Examples of rules with nested condition operators.
| Content type to scan | What to scan for | Details & use |
|---|---|---|
| All content |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans all content for sensitive information. The All content option scans only 5 header types: Subject, To, From, Bcc, and Cc. These headers are immediately available for synchronous scanning. To scan all message headers, we recommend using one of these options:
|
| Body |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans message body and attachments for sensitive information. Message body is scanned synchronously and attachments are scanned asynchronously. |
| Classification label | Is |
Whether a classification label has been applied to the message. For details, go to Gmail DLP & automatic classification labels. A data protection rule can't have a classification label as both a condition and an action. |
| Confidential mode status | Is enabled Is disabled |
Whether the message has confidential mode enabled. For details, go to Protect Gmail messages with confidential mode. |
| Email headers |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans email headers for sensitive information. While most headers are scanned asynchronously, the Subject, To, From, Bcc, and Cc headers are scanned both asynchronously and synchronously. To prevent disrupting your users, avoid setting a negative match condition (a |
| Subject |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans email subjects synchronously for sensitive information. |
Create a rule
After you determine what you want your rule to do, you create the rule. For details, go to Create data protection rules.Common use cases
The following table provides examples of how to combine a trigger (what the user does), conditions (what is checked), and a specific action (the enforcement) to define your DLP policy. To use this table, you must:
- Select a trigger.
- Map condition values to the corresponding options.
- Select an action.
Changes can take up to 24 hours but typically happen more quickly. Learn more
| Use case | Trigger | Condition | Action |
|---|---|---|---|
| Warn users when Gmail messages or attachments contain a credit card number | Google Gmail  Message sent |
Content type: All content Match: Matches predefined data type Data Type: Global &mdash Credit Card Number Likelihood Threshold: High Minimum unique matches: 1 Minimum match count: 1 |
Warn users |
| Block Gmail messages when the message body contains a US individual tax ID and the message doesn’t use confidential mode | Google Gmail Message sent |
Condition 1: Content type: Body Match: Matches predefined data type Data type: United States &mdash Individual Taxpayer Identification Number
Condition 2: Content type: Confidential mode status Value: Disabled |
Block message |
| Audit inbound emails | Google Gmail Message received |
Content type: Email headers Match: Matches regular expression Value: Internal &mdash Tool Minimum times the pattern repeats: 1 |
Audit only |
About synchronous & asynchronous scanning
When Gmail messages are sent, rules can be scanned synchronously or asynchronously:
Synchronous scanning—Data protection rules are scanned when the user clicks Send. The user is notified of sensitive content before the message leaves their mailbox. Gmail on the web and the Gmail mobile app perform synchronous scanning.
Note: Emails that a user saves as a draft are also scanned, and the user is notified about any sensitive content.
Asynchronous scanning—Data protection rules are scanned after the message leaves the sender's mailbox. Users get a message that the message is blocked or quarantined before it's delivered to the recipient. Asynchronous scanning occurs when a user sends a message with a third-party email app, and when synchronous scanning is unsuccessful.
When Gmail messages are received, the rules are scanned before the message is delivered to the recipient’s mailbox.
Outcomes of synchronous & asynchronous scanning for sent messages
Synchronous scanning: Gmail on the web or mobile
When a rule with the Block message action is triggered:
- An alert appears, indicating that the message can't be sent in its current state. You can add a custom message in the rule for this alert.
- The alert has a Back to editing option, so the user can return to editing the message and update or remove the sensitive content.
- When the user resends the message after editing, the message is scanned again and checked against all applicable rules.
When a rule with the Warn users action is triggered:
- An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
- The alert has a Back to editing option so the user can return to editing the message and update or remove the sensitive content.
- The alert has a Send anyway option that lets the user send the message in its current state.
When a rule with the Quarantine message action is triggered:
- An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
- The box has a Back to editing option, so the user can optionally return to editing the message and update or remove the sensitive content.
- The box has a Submit for review button, so the user can send the message for review by an admin or other authorized user. After reviewing the message, the admin can approve the message for delivery to the recipient, or block it from being sent.
When a rule with the Audit only action is triggered:
- The user doesn't see an alert and the message is delivered to recipients.
- The message event is recorded in audit logs.
Note: Messages that are scanned synchronously might be scanned again asynchronously as an added security measure. This can result in the message being blocked, even when no dialog box was presented during the synchronous scanning.
Asynchronous scanning: Gmail with SMTP and third-party email app
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
When a rule with the Warn users action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
- For messages sent using third-party email apps connected to Gmail with SMTP, rules with the Warn users action behave in the same way as rules with a Block message action.
When a rule with the Quarantine message action is triggered:
- The sender sees the message in their Sent mailbox.
- If the message wasn't sent, the sender gets an alert indicating that the message was quarantined. You can add a custom message in the rule for this alert.
When a rule with the Audit only action is triggered:
- The sender doesn't get a notification and the message is delivered to the recipient.
Asynchronous scanning: Gmail on the web or mobile
When you use Gmail on the web or in a mobile app, messages are scanned asynchronously one more time as an extra security measure.
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
When a rule with the Warn users action is triggered, the message is sent:
- The sender can see the message in their Sent mailbox.
- The message event is recorded in Rule log events.
When a rule with the Quarantine message action is triggered:
- The sender can see the message in their Sent mailbox.
- They might get a notification later if message sending was prevented by the reviewer.
When a rule with the Audit only action is triggered:
- The sender doesn't get any notification and the message is delivered to the recipient.
Messages created automatically by other Google products
Gmail sends automated notifications and messages created by other Google and Google Workspace services, including Google Calendar, Docs, and Drive. For example, when someone creates an event in Calendar and invites guests, a Gmail message with the event details is created and sent to event participants. The message is scanned on the server side. If the message content meets the conditions of any rule, the rule action is applied.
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this notification.
When a rule with the Warn users action is triggered:
- The message is sent.
- The sender can see the message in their Sent mailbox.
- The message event is recorded in Rule log events.
When a rule with the Quarantine message action is triggered:
- The sender might get a notification later if message sending was prevented by the reviewer.
When a rule with the Audit only action is triggered:
- The message is sent.
- The sender doesn't get any notification.
DLP for Gmail interactions
How does DLP interact with other email rules?
Data protection rules are evaluated before content compliance rules and routing rules.
If data protection rules don't accept block or quarantine actions on a message, the message is then evaluated by content compliance and routing rules. If a content compliance or routing rule applies an action that creates another copy of the message (for example, adds a new recipient), DLP scans the new copies of the message before sending them.
For details, go to Set up rules for advanced email content filtering.
How does DLP for Gmail interact with groups?
Data protection rules apply to groups only when the rule is set for the entire organization. For messages sent, data protection rules support only the Block message action for groups. The Warn users and Quarantine message actions aren't supported for groups.
For messages received, data protection rules apply to the original copy received by the group. If classification labels are applied to the message, all group members’ copies of the received message will have the same classification.
Investigate data protection rule events using the security investigation tool
Run a search for Rule log events
The following example runs a search to investigate Gmail messages that triggered a data protection rule. You can use other conditions in your search, or no conditions at all.
-
In the Google Admin console, go to Menu
Security
Security center
Investigation tool.Requires having the Security center administrator privilege.
- Click Data source Rule log events.
- Click Condition builder Add Condition Attribute Rule type.
- Select DLP.
- Click Search.
From the search results at the bottom of the page, you can view a list of events with details about each event.Note: Sensitive content snippets aren't supported for Gmail DLP. As a result, the Has sensitive content column shows False even if a message contains sensitive content that triggered a data protection rule.
- Scroll to the Resource ID column and click Menu
to display Gmail log events and Message ID. - Click Search to open a new search page where Gmail log events is the data source.
- To view additional details, click Message ID for any line in the search results. A side panel displays additional details about your investigation.
- If prompted, enter the business need for viewing Gmail content, and then click Confirm.
Export DLP violations using BigQuery
You can export DLP violations logged in Rule log events to custom tables for further investigation. For details, go to Set up service log exports to BigQuery.
Share your feedback
In the Admin console on any data protection pages, click Send Feedback.