Gmail DLP & automatic classification labels (beta)

Use DLP rule to automatically apply classification labels to Gmail messages

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition

DLP for Gmail is also available to Cloud Identity Premium users who are also licensed for Google Workspace editions that include Gmail.

After you create classification labels that let your users classify their messages, you can add data loss prevention (DLP) rules that automatically apply classification labels to messages, or that take action on messages based on their labels. Data protection with DLP rules helps you prevent data breaches in your organization.

DLP rules let you apply classification labels to messages automatically, based on message content and sensitivity. Labels help people in your organization understand message sensitivity and handle messages accordingly. Labels also help people in your organization understand the different types of information they work with, for example sensitive or confidential content, or content specific to certain projects or roles.

Automatic classification labels help prevent sensitive information from being shared in Gmail and third-party (non-Gmail) email apps, both inside your organization and externally.

This page is an overview of data protection rules and automatic classification labels, and describes how people in your organization interact with email messages that have rules and labels.

For detailed steps to set up rules that automatically apply classification labels to email messages, visit Prevent data leaks in email & attachments.

How automatic classification labels help protect your data

When someone in your organization tries to send an email message that contains personally identifiable information (PII) or other sensitive information, a data protection rule can automatically apply a classification label called Confidential to the message. The label indicates to recipients the level of sensitivity associated with the message. Organization policies can then be applied to the message based on the label. When recipients get the message, the label lets them know the message contents are sensitive and should be handled appropriately.

By adding more rules, you can manage what happens to outgoing messages based on their classification labels. For example, you can block messages with the Sensitive label from being sent. Create a rule with a block action that’s applied when someone tries to send a message with the Sensitive label. The sender gets an alert about the sensitive content, with the option to edit the message before trying to send it again.

Data protection rules can also quarantine sensitive messages for review before sending them. The sender gets an alert with the option to quarantine, or edit the message and try sending again. You can also add rules that audit messages only. This is useful for testing rules behavior and impact to users before you start quarantining or blocking messages. 

During beta, rules that use Classification label as a condition or an action are scanned asynchronously: 

  • If a message is blocked based on its classification label, the sender is notified with a bounce message.
  • If a message is quarantined based on its classification label, the sender might be notified when an admin blocks message delivery.
  • When a classification label is automatically applied by a rule, the sender isn’t notified and can’t see the label applied to the message in their sent mailbox.

Learn more about synchronous and asynchronous scanning

Automatic classification labels features and behavior

Rules that automatically apply classification labels to email messages are DLP rules. DLP rule features, behaviors, and limitations are described in Prevent data leaks in email & attachments.

  • Rules let you choose from multiple conditions to specify when to automatically apply classification labels to  outgoing messages. 
  • Rules can apply labels to messages from a specific organizational unit or group, or to your entire organization.
  • Rules apply labels when message content matches conditions you specify in the rule. For example, match a single word, a string, or a predefined data type, such as a taxpayer ID or passport number. You can specify where in the message the matching content appears. For example, content can appear anywhere in the message (including attachments), or only in the message headers or subject line. 
  • Rules that apply classification labels have the option to prevent users from changing labels, even if they have labels edit permissions. With this rule option, when a user tries to change a label that’s been automatically applied to a message, DLP immediately scans the message and reverts to the labels that were applied by the rule.
  • A message can have up to 20 labels, in any combination of user-visible, user-applied labels and automatically applied labels. To view labels, users must have View permission for the label. If a user tries to apply visible labels to a message, they get an error when the number of visible labels exceeds 20. When the number of manually applied and automatically applied messages exceeds 20, only the 20 top ranked labels are applied to the message.
  • You can apply multiple labels with a single rule.
  • You can use AND, OR, or NOT operators with conditions. For details, go to DLP for Drive rule nested condition operator examples.
  • Senders can’t see labels applied to their messages but they can see labels in replies to their labeled messages. And if they have View permissions for the labels, recipients can see the classification labels that have been automatically applied to messages they get. For details, on this page go to How users interact with classification labels.

Get started with automatic classification labels

Before you start using classification labels and data protection rules with email, you should:

How rules automatically apply classification labels 

Data protection rules scan messages and apply labels to, and enforce actions on, messages that meet the conditions in the rules.

Note: During beta, automated classification occurs asynchronously. Data protection rules with Classification label as a condition are also applied asynchronously. Labels are applied after the message leaves the sender's mailbox. To learn more, go to the section About synchronous & asynchronous scanning in Prevent data leaks in email & attachments.

  1. Sender composes message.
  2. Sender clicks Send and the message leaves the sender’s mailbox.
  3. The message is scanned. If the message has content that meets conditions in a rule with an Apply classification label action, the classification label is applied to the message.
    • After a classification label is applied, the message may trigger a rule that has a Classification label condition. If you haven’t created any additional data protection rules, this step is skipped.
    • The action defined in the rule determines what happens when the user tries to send the message. For details, go to How users interact with automatic classification labels, on this page.

When a user tries to send a message with sensitive content, they may get a bounce message. When this happens, they must compose the message again.

How users work with classification labels

People in your organization may already use one type of Gmail labels to organize their email. Classification labels have a different purpose and your users interact with them differently. What your users see depends on whether you’ve added data protection rules to manage outdoing messages that have classification labels applied.

When a user sends a new email message, DLP scans the message. If the message triggers a data protection rule that applies classification labels, one or more labels are applied to the message after the message is sent and leaves the sender’s mailbox. The sender can’t see classification labels while composing a message or in the copy of sent messages stored in their Sent mailbox. After a label is automatically applied to a message, and visible to recipients, the user interacts with the message in the same way as with messages with manually applied labels.

People who get new messages or message replies that have classification labels can see the labels that are applied to the message. Senders who get replies to their outgoing messages with labels may see some or all of the original labels in message replies.

For detailed information about working with classification labels, visit the Gmail help center.

Share your feedback

In the Admin console on any data protection pages, click Send Feedback.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
2635334815901589754
true
Search Help Center
true
true
true
true
true
73010
false
false