Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, and Education Plus. Compare your edition
Using data loss prevention (DLP) for Gmail, you can create data protection rules to manage sensitive content that your users share in email messages. With DLP for Gmail, rules are applied to messages sent to or received from people inside and outside of your organization.
How does DLP for Gmail work?
When a user sends or receives an email message, DLP scans the message for sensitive content. If a message or attachment violates a rule, the action defined in the rule is applied to the message.
DLP for Gmail flow
- Add data protection rules that define sensitive content and the action to take on messages with sensitive content.
- When a user sends or receives an email message, DLP scans the content for rule matching.
- If a rule is matched, DLP applies the action defined in the rule.
- All events are logged in Rule log events for review.
Supported attachment file types
Data protection rules scan the following attachment types:
- Document file types—TXT, DOC, DOCX, RTF, HTML, XHTML, XML, PDF, PPT, PPTX, ODP, ODS, ODT, XLS, XLSX, PS, CSS, CSV, JSON, SH
- Image file types (when OCR is turned on)—EPS, BMP, GIF, JPEG, PNG, and images inside PDF files
- Compressed file types—BZIP, RAR, TAR, ZIP
- Custom file types—HWP, KML, KMZ, SDC, SDD, SDW, SXC, SXI, SXW, WML, XPS
Multiple attachments
If a message has more than one attachment, the rule is triggered if any of the attachments matches the rule condition. This can sometimes lead to rules that include the NOT condition having unexpected results. For example, If the condition NOT(content contains SSN) is used and one of the attachments contains SSN, the condition is true, and the rule won't be triggered.
Understand triggers
Before defining what content your rule should look for, you specify the trigger that initiates the scanning process. With DLP for Gmail, the triggers are:
- Message sent—Outgoing messages and attachments are scanned.
- Message received—Incoming messages and attachments are scanned.
Understand DLP actions
When sensitive content is found, your rule can enforce the actions listed in the following table.
If you have similar rules with different response actions, the stricter action prevails. For example, if one rule warns users when a Social Security number (SSN) is found and another rule blocks the user from using SSNs, the block rule is triggered, and the user can't send or receive the email.
If you select Message received as the trigger, the only actions available are Audit only and Apply classification labels.
| Action | Description |
|---|---|
| Block message |
Outgoing messages only. Blocks the delivery of email messages and sends the user a notification. Optionally, you can add a custom message for users. The event is logged. |
| Warn users |
Outgoing messages only. Allows the user to proceed after a warning message. Optionally, you can add a custom warning message for users. The user's choice to proceed is recorded in the log events. |
| Quarantine message |
Outgoing messages only. Places messages in quarantine for an admin to review before they are sent or returned. Optionally, you can apply quarantine conditions or add a custom message for users. For details, go to Set up email quarantine. |
| Audit only |
Allows the user to proceed without interruption and logs the event. You can choose to audit messages from external senders, internal senders, or both. |
| Apply classification labels |
Applies an existing classification label to matching email messages. Only badged labels and standard labels with Options list field type are supported. You can choose to apply classification labels on messages from external senders, internal senders, or both. A data protection rule can't have a classification label as both a condition and an action. For details, go to Gmail DLP & automatic classification labels. |
| Add custom note |
Outgoing messages only. Adds a custom header or footer to matching email messages. For details, go to Add classification notes to outgoing messages. |
Understand DLP conditions
When you create a data protection rule, you can specify conditions that define what content or activity to scan for.
You can use predefined data types or create your own custom content detectors.
You can also combine multiple conditions using AND, OR, or NOT operators.
For details, go to How to use predefined content detectors, Create a custom detector, and Examples of rules with nested condition operators.
| Content type to scan | What to scan for | Details & use |
|---|---|---|
| All content |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans all content for sensitive information. The All content option scans only 5 header types: Subject, To, From, Bcc, and Cc. These headers are immediately available for synchronous scanning. To scan all message headers, we recommend using one of these options:
|
| Body |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans message body and attachments for sensitive information. Message body is scanned synchronously and attachments are scanned asynchronously. |
| Classification label | Is |
Whether a classification label has been applied to the message. For details, go to Gmail DLP & automatic classification labels. A data protection rule can't have a classification label as both a condition and an action. |
| Confidential mode status | Is enabled Is disabled |
Whether the message has confidential mode enabled. For details, go to Protect Gmail messages with confidential mode. |
| Email headers |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans email headers for sensitive information. While most headers are scanned asynchronously, the Subject, To, From, Bcc, and Cc headers are scanned both asynchronously and synchronously. To prevent disrupting your users, avoid setting a negative match condition (a |
| Subject |
Matches predefined data type Contains text string Contains word Matches regular expression Matches words from word list |
Scans email subjects synchronously for sensitive information. |
Create a rule
After you determine what you want your rule to do, you create the rule. For details, go to Create data protection rules.
Common use cases
The following table provides examples of how to combine a trigger (what the user does), conditions (what is checked), and a specific action (the enforcement) to define your DLP policy. To use this table, you must:
- Select a trigger.
- Map condition values to the corresponding options.
- Select an action.
| Use case | Trigger | Condition | Action |
|---|---|---|---|
| Warn users when Gmail messages or attachments contain a credit card number | Google Gmail  Message sent |
Content type: All content Match: Matches predefined data type Data Type: Global &mdash Credit Card Number Likelihood Threshold: High Minimum unique matches: 1 Minimum match count: 1 |
Warn users |
| Block Gmail messages when the message body contains a US individual tax ID and the message doesn’t use confidential mode | Google Gmail Message sent |
Condition 1: Content type: Body Match: Matches predefined data type Data type: United States &mdash Individual Taxpayer Identification Number
Condition 2: Content type: Confidential mode status Value: Disabled |
Block message |
| Audit inbound emails | Google Gmail Message received |
Content type: Email headers Match: Matches regular expression Value: Internal &mdash Tool Minimum times the pattern repeats: 1 |
Audit only |
Understand DLP rule priorities & conflicts
When an email triggers one or more Data Loss Prevention (DLP) rules, Gmail takes actions to protect data in email messages. If a single message triggers multiple rules, Gmail follows a set of prioritization steps to ensure the most important or protective action happens first.
For example, if multiple rules apply to a message, Gmail blocks instead of quarantines, and quarantines instead of warns. This ensures that sensitive data is always handled by the strictest rule that applies to a message.
DLP action types
Actions are categorized based on how they impact the message or the user. Here are some terms used in the table below:
- Client-side—Actions that happen in the Gmail Compose view, while the user is writing the message, for example a warning dialog.
- Server-side—Actions that happen after the user clicks Send in a new message, while Gmails delivery system is processing the message.
- Conflict—When two different rules apply to the same email message. For example, one rule says warn the user and another says block the message from being sent.
| Action category | Description | When it happens | Examples |
| Delivery controls | Changes whether the email is actually sent. These are the most important. | While composing and after sending | Block, quarantine, warn user |
| Reporting and logs | Keeps a record of the event for you to review later without interfering with the message | While composing and after sending | Audit only |
| Message metadata changes | Updates hidden info or labels on the email (like sensitivity labels) | While composing and after sending These actions are always performed on messages, independently of any other actions that are activated. Tags are added while a user is composing a message but typically can’t be changed after a message is already stored in the system. |
Apply labels |
| Email changes | Adds or changes text in the actual email | After sending only | Add a footer |
| Alerts | Sends a notification to the administrator or to a specific person | While composing and after sending | Alert center notification |
How Gmail manages DLP rule priorities & conflicts
If a message activates multiple rules, Gmail uses the following logic to decide how to apply rules to the message:
Delivery priority - Most to least strict
If multiple rules apply to a message, Gmail applies only the most restrictive one. This is how message actions are prioritized:
- Block message (highest priority)—The message is immediately blocked from sending and the user gets an alert that the message wasn't sent.
- Quarantine message—The email is held for an administrator to approve or reject sending and the user gets an alert.
- Warn user—The user gets an alert warning them about message content. They can choose to send the message anyway.
When a message activates multiple DLP rules with the same action (such as blocking the message), Gmail applies only one of them. Gmail applies the first rule in alphabetical order of the rule resource name. For example, if a message activates 2 block rules, one with the rule resource name policies/abb7a1e4c9f2d8a and one with the rule resource name policies/bb7aa1e4c9f2d8a, Gmail applies only the policies/abb7a1e4c9f2d8a rule. Gmail ignores the other rule.
How to find a rule's resource name
To find the rule resource names for a DLP rule, use the Security Investigation Tool (SIT). On the left side of the Rules details page, click Investigate rule to open the SIT page for the rule. The rule resource name appears in the Rule ID field, in this format: policies/resource-name
Resolving label conflicts - System & user
If rules attempt to apply labels, for example Public or Confidential:
- DLP and DLP—If a new DLP rule applies a different label than an old DLP rule, the newer label takes precedence and replaces the old label.
- User and DLP—If a user manually selects a label and the activated DLP rule allows user overrides, then Gmail won't replace the user-selected label with an automated DLP label.
Changes to message content
Message content changes made with DLP rules have a lower priority than DLP delivery action rules (warn, quarantine, block). Examples of message content changes are adding a footer to a message and adding a prefix to a message subject.
If a message activates multiple rules to add a footer, Gmail applies the rules in alphabetical order, based on each rule's resource name, and adds all footers. Learn How to find a rule's resource name.
Records & alerts
- Reports: Gmail keeps a record of every rule that’s activated, even if the action was skipped because another rule took precedence.
- Alerts: Users get an alert only when the specific action actually happens. For example, if a quarantine action is set up, but the message was blocked instead, users don't get a quarantine alert.
About synchronous & asynchronous scanning
When Gmail messages are sent, rules can be scanned synchronously or asynchronously:
Synchronous scanning—Data protection rules are scanned when the user clicks Send. The user is notified of sensitive content before the message leaves their mailbox. Gmail on the web and the Gmail mobile app perform synchronous scanning.
Note: Emails that a user saves as a draft are also scanned, and the user is notified about any sensitive content.
Asynchronous scanning—Data protection rules are scanned after the message leaves the sender's mailbox. Users get a message that the message is blocked or quarantined before it's delivered to the recipient. Asynchronous scanning occurs when a user sends a message with a third-party email app, and when synchronous scanning is unsuccessful.
When Gmail messages are received, the rules are scanned before the message is delivered to the recipient’s mailbox.
Outcomes of synchronous & asynchronous scanning for sent messages
Synchronous scanning: Gmail on the web or mobile
When a rule with the Block message action is triggered:
- An alert appears, indicating that the message can't be sent in its current state. You can add a custom message in the rule for this alert.
- The alert has a Back to editing option, so the user can return to editing the message and update or remove the sensitive content.
- When the user resends the message after editing, the message is scanned again and checked against all applicable rules.
When a rule with the Warn users action is triggered:
- An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
- The alert has a Back to editing option so the user can return to editing the message and update or remove the sensitive content.
- The alert has a Send anyway option that lets the user send the message in its current state.
When a rule with the Quarantine message action is triggered:
- An alert appears, indicating that the message may contain sensitive content. You can add a custom alert message in the rule setting options.
- The box has a Back to editing option, so the user can optionally return to editing the message and update or remove the sensitive content.
- The box has a Submit for review button, so the user can send the message for review by an admin or other authorized user. After reviewing the message, the admin can approve the message for delivery to the recipient, or block it from being sent.
When a rule with the Audit only action is triggered:
- The user doesn't see an alert and the message is delivered to recipients.
- The message event is recorded in audit logs.
Note: Messages that are scanned synchronously might be scanned again asynchronously as an added security measure. This can result in the message being blocked, even when no dialog box was presented during the synchronous scanning.
Asynchronous scanning: Gmail with SMTP and third-party email app
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
When a rule with the Warn users action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
- For messages sent using third-party email apps connected to Gmail with SMTP, rules with the Warn users action behave in the same way as rules with a Block message action.
When a rule with the Quarantine message action is triggered:
- The sender sees the message in their Sent mailbox.
- If the message wasn't sent, the sender gets an alert indicating that the message was quarantined. You can add a custom message in the rule for this alert.
When a rule with the Audit only action is triggered:
- The sender doesn't get a notification and the message is delivered to the recipient.
Asynchronous scanning: Gmail on the web or mobile
When you use Gmail on the web or in a mobile app, messages are scanned asynchronously one more time as an extra security measure.
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this alert.
When a rule with the Warn users action is triggered, the message is sent:
- The sender can see the message in their Sent mailbox.
- The message event is recorded in Rule log events.
When a rule with the Quarantine message action is triggered:
- The sender can see the message in their Sent mailbox.
- They might get a notification later if message sending was prevented by the reviewer.
When a rule with the Audit only action is triggered:
- The sender doesn't get any notification and the message is delivered to the recipient.
Messages created automatically by other Google products
Gmail sends automated notifications and messages created by other Google and Google Workspace services, including Google Calendar, Docs, and Drive. For example, when someone creates an event in Calendar and invites guests, a Gmail message with the event details is created and sent to event participants. The message is scanned on the server side. If the message content meets the conditions of any rule, the rule action is applied.
When a rule with the Block message action is triggered:
- The sender sees the message in their Sent mailbox.
- The sender gets a message indicating that the message was blocked. You can add a custom message in the rule for this notification.
When a rule with the Warn users action is triggered:
- The message is sent.
- The sender can see the message in their Sent mailbox.
- The message event is recorded in Rule log events.
When a rule with the Quarantine message action is triggered:
- The sender might get a notification later if message sending was prevented by the reviewer.
When a rule with the Audit only action is triggered:
- The message is sent.
- The sender doesn't get any notification.
DLP for Gmail interactions
How does DLP interact with other email rules?
Data protection rules are evaluated before content compliance rules and routing rules.
If data protection rules don't accept block or quarantine actions on a message, the message is then evaluated by content compliance and routing rules. If a content compliance or routing rule applies an action that creates another copy of the message (for example, adds a new recipient), DLP scans the new copies of the message before sending them.
For details, go to Set up rules for advanced email content filtering.
How does DLP for Gmail interact with groups?
Data protection rules apply to groups only when the rule is set for the entire organization. For messages sent, data protection rules support only the Block message action for groups. The Warn users and Quarantine message actions aren't supported for groups.
For messages received, data protection rules apply to the original copy received by the group. If classification labels are applied to the message, all group members’ copies of the received message will have the same classification.
Investigate data protection rule events using the security investigation tool
Run a search for Rule log events
The following example runs a search to investigate Gmail messages that triggered a data protection rule. You can use other conditions in your search, or no conditions at all.
-
In the Google Admin console, go to Menu
Security
Security center
Investigation tool.Requires having the Security center administrator privilege.
- Click Data source Rule log events.
- Click Condition builder Add Condition Attribute Rule type.
- Select DLP.
- Click Search.
From the search results at the bottom of the page, you can view a list of events with details about each event.Note: Sensitive content snippets aren't supported for Gmail DLP. As a result, the Has sensitive content column shows False even if a message contains sensitive content that triggered a data protection rule.
- Scroll to the Resource ID column and click Menu
to display Gmail log events and Message ID. - Click Search to open a new search page where Gmail log events is the data source.
- To view additional details, click Message ID for any line in the search results. A side panel displays additional details about your investigation.
- If prompted, enter the business need for viewing Gmail content, and then click Confirm.
Export DLP violations using BigQuery
You can export DLP violations logged in Rule log events to custom tables for further investigation. For details, go to Set up service log exports to BigQuery.
Share your feedback
In the Admin console on any data protection pages, click Send Feedback.