When you load data into a table or create an empty table in BigQuery, you must specify a schema. The schema in this article defines and describes the fields associated with Gmail logs in BigQuery.
We occasionally update the schema in this article. When new fields are added to the template table, the next daily table generated from the template has the new fields. If you want to query new fields, query daily tables generated after the template was updated.
Learn how to specify and modify schemas in BigQuery.
Field name | event_info | ||
---|---|---|---|
Type | RECORD | ||
Mode | REQUIRED | ||
Description | General information about the event |
Field name | |||
---|---|---|---|
Type | STRING | ||
Mode | NULLABLE | ||
Description | The type of client or device where the action occurred, including WEB, IOS, ANDROID, IMAP, POP3, and API |
Field name | event_info.client_context.session_context.delegate_user_email | ||
---|---|---|---|
Type | STRING | ||
Mode | NULLABLE | ||
Description | Email address of the delegated user who performed the action on the account owner's behalf |
Field name | event_info.client_context.session_context.dusi | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Identifier for a user's session on a specific device |
Field name | event_info.elapsed_time_usec | ||
---|---|---|---|
Type | INTEGER | ||
Mode | NULLABLE | ||
Description | Total time duration of the event, in microseconds |
Field name | event_info.mail_event_type | ||
---|---|---|---|
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Logged event type. The event type corresponds to the Event attribute in Gmail log events in Security Investigation Tool. Possible values are: 0: Unknown mail event type 1: Message sent 2: Message received 3: A Gmail user manually applied a spam classification to the message. For example, the user marked the message as spam, phishing, or not spam. 4: Gmail flagged the message as spam after delivery. Several factors can cause this, including poor sender reputation or new virus hashes. 5: Message quarantined 6: Message released from quarantine 7: Message opened for the first time 8: Message marked as unread 9: Message replied to for the first time 10: Message forwarded for the first time 11: Message autoforwarded with a Gmail account forwarding setting 12: Message moved to Inbox 13: Message moved to Trash 14: Message removed from Trash 15: Link in message body was clicked 16: Link in message attachment link was clicked during attachment preview 17: One or more message attachments were downloaded 18: One or more message attachments saved to Google Drive 19: One or more Google Drive items in the message were saved to the recipient's Google Drive 20: Classification label applied to message 21: Message classification label change 22: Classification label removed from message 23: Classification label applied to all message attachments 24: Classification label changed on all message attachments 25: Classification label removed from all message attachments 26: Message archived 27: Message permanently deleted 28: One or more message attachments previewed 29: Message saved as draft 30: Message couldn't be delivered, and bounced 31: Message viewed, including first and following readings. For details on a known iOS issue, go to Google Workspace known issues. 32: Message downloaded Note: BiqQuery exports enabled between April 2024 and July 2024 don’t include historical View events between April 2024 and the date you enabled the export. BigQuery exports enabled in August 2024 and later include historical View events 6 months prior to the date you enabled the export. |
Field name | event_info.success | ||
Type | BOOLEAN | ||
Mode | REQUIRED | ||
Description |
True if the event was successful, otherwise false. For example, the value is false if the message was rejected by a policy. |
Field name | event_info.timestamp_usec | ||
Type | INTEGER | ||
Mode | REQUIRED | ||
Description | Time when this event started, in the form of a UNIX timestamp, in microseconds |
Field name | message_info | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | General information about the message |
Field name | message_info.action_type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
The message delivery action that the event represents. Possible values: 1: Message received by inbound SMTP server 2: Message accepted by Gmail and prepared for delivery. This step usually follows 1, or is the first step if you send from Gmail. For incoming messages, policies with reject dispositions are typically evaluated here. For example, an attachment compliance policy that rejects incoming messages. 3: Gmail acted on the message. For example, delivered to a Gmail mailbox or sent to another server. This step usually follows 2. Policies with dispositions other than reject are evaluated here. For example, an attachment compliance policy that strips attachments based on file type or other criteria. 10: Message sent out by outbound SMTP server 14: A temporary error occurred when Gmail tried to deliver the message, and the message has been scheduled for retry. Typically, this is caused by external or internal servers that are temporarily unavailable. Retry later. For example, Gmail tried to deliver the message to an external SMTP server, but received temporary error. 18: Message could not be delivered and bounced. Sometimes you can find out what happened by reading message_info.description. Common reasons include:
19: Message was dropped by Gmail. Common reasons include:
45: Message was accepted for delivery by the Google Groups subsystem 46: Message's recipient address was a Google Group, and the recipient was expanded to each member of the Google Group that has message delivery enabled 48: Message received by inbound SMTP server for relay 49: Message sent through relay by outbound SMTP server 51: Message was written to Google Groups storage 54: Message was rejected by the Google Groups storage system 55: Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient 68: Message accepted by Gmail and prepared for delivery. This is similar to 2, but the message was sent through a Gmail server. 69: A user changed the message’s spam classification in Gmail. For example, a user marked it as spam, phishing, or not spam. 70: The message was reclassified as spam or phishing after it was delivered to Gmail. 71: A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message, clicking a link in a message, and downloading an attachment. BigQuery export includes details about the action |
Field name | message_info.attachment | ||
Type | RECORD | ||
Mode | REPEATED | ||
Description |
Information about the message’s attachments. This record is repeated for every attachment. |
Field name | message_info.attachment.file_extension_type | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | File extension (not mime part type), not including the period |
Field name | message_info.attachment.file_name | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | File attachment name |
Field name | message_info.attachment.malware_family | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Malware category, if detected when the message is handled. This field is unset if no malware is detected. Possible values:
|
Field name | message_info.attachment.sha256 | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | SHA256 hash of the attachment |
Field name | message_info.connection_info | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | Information about the connection the message was sent over |
Field name | message_info.connection_info.authenticated_domain | ||
Type | RECORD | ||
Mode | REPEATED | ||
Description | List of authenticated domain names and authentication mechanisms |
Field name | message_info.connection_info.authenticated_domain.name | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Authenticated domain name |
Field name | message_info.connection_info.authenticated_domain.type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Message authentication type (for example, SPF, DKIM). Possible values:
|
Field name | message_info.connection_info.client_host_zone | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Client host zone of the mail sender |
Field name | message_info.connection_info.client_ip | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | IP address of the mail client that started the message |
Field name | message_info.connection_info.dkim_pass | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description | Indicates if the message was authenticated using at least one DKIM signature |
Field name | message_info.connection_info.dmarc_pass | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description | Indicates if the message passed DMARC policy evaluation |
Field name | message_info.connection_info.dmarc_pass | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Domain name used to evaluate the DMARC policy |
Field name | message_info.connection_info.failed_smtp_out_connect_ip | ||
Type | STRING | ||
Mode | REPEATED | ||
Description | List of all IPs in the remote MX record that Gmail attempted to connect to but failed |
Field name | message_info.connection_info.ip_geo_city | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Nearest city computed based on the relay IP |
Field name | message_info.connection_info.ip_geo_country | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | ISO country code based on the relay IP |
Field name | message_info.connection_info.is_internal | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description | Indicates if the message was sent within domains owned by the customer |
Field name | message_info.connection_info.is_intra_domain | |
Type | BOOLEAN | |
Mode | NULLABLE | |
Description | Indicates if the message was sent within the same domain |
Field name | message_info.connection_info.smtp_in_connect_ip | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Remote IP address for MTA client connections (inbound SMTP to Gmail) |
Field name | message_info.connection_info.smtp_out_connect_ip | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Remote IP address for SMTP connections from Gmail |
Field name | message_info.connection_info.smtp_out_remote_host | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | For outgoing SMTP connections, the domain the message started from; the destination domain or the smarthost |
Field name | message_info.connection_info.smtp_reply_code | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
SMTP reply code for inbound and outbound SMTP connections. Usually 2xx, 4xx, or 5xx. |
Field name | message_info.connection_info.smtp_tls_cipher | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Name of the TLS cipher being used for secure connections to the SMTP server. Examples: AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, and DES-CBC3-SHA. |
Field name | message_info.connection_info.smtp_tls_state | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Type of connection made to the SMTP server. Only set for logs of events that explicitly handle SMTP connections. Values:
|
Field name | message_info.connection_info.smtp_tls_version |
Type | STRING |
Mode | NULLABLE |
Description | TLS version used for secure connections to the SMTP server. For example, TLSv1.2. |
Field name |
message_connection_info.smtp_user_agent_ip |
Type | STRING |
Mode | NULLABLE |
Description | IP address of the mail user agent for inbound SMTP connections |
Field name | message_info.connection_info.spf_pass |
Type | BOOLEAN |
Mode | NULLABLE |
Description | Indicates if the message was authenticated with SP |
Field name | message_info.connection_info.tls_required_but_unavailable |
Type | BOOLEAN |
Mode | NULLABLE |
Description | TLS is required for an outbound SMTP connection, but no valid certificate was present |
Field name | message_info.description |
Type | STRING |
Mode | NULLABLE |
Description | Human-readable description of what happened to the message |
Field name | message_info.destination |
Type | RECORD |
Mode | REPEATED |
Description | Information about message recipients. This record is repeated for every recipient. |
Field name | message_info.destination.address |
Type | STRING |
Mode | NULLABLE |
Description | Recipient email address |
Field name |
message_info.destination.rcpt_response |
Type | INTEGER |
Mode | NULLABLE |
Description | Response of the SMTP RCPT command. Go to message_info.connection_info.smtp_response_reason for value definitions. |
Field name | message_info.destination.selector | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description |
Subcategory for each service. Go to message_info.destination.service for value definitions. |
Field name | message_info.destination.smime_decryption_success | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description |
For inbound messages only. When set, indicates that S/MIME decryption was attempted for this recipient.The value indicates the completion status. Not set if skipped. |
Field name | message_info.destination.smime_extraction_success | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description |
For inbound messages only. When set, indicates that S/MIME extraction was attempted for this recipient. The value indicates the completion status. Not set if skipped. |
Field name | message_info.destination.smime_parsing_success | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description |
For inbound messages only. When set, indicates that S/MIME parsing was attempted for this recipient. The value indicates the completion status. Not set if skipped. |
Field name | message_info.destination.smime_signature_verification_success | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description |
For inbound messages only. When set, indicates that S/MIME signature verification was attempted for this recipient. The value indicates the completion status. Not set if skipped. |
Field name | message_info.flattened_destinations | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description |
String that has information of all recipient information flattened, in this format: |
Field name | message_info.flattened_triggered_rule_info | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | String that has information of all triggered rules, in JSON format |
Field name | message_info.is_policy_check_for_sender | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description |
True if the policy rules were evaluated for the sender (the message was processed for outbound delivery). False if the policy rules were evaluated for the recipient (the message was processed for inbound delivery). |
Field value | message_info.is_spam | ||
Type | BOOLEAN | ||
Mode | NULLABLE | ||
Description | True if the message was classified as spam |
Field name | message_info.link_domain | ||
Type | STRING | ||
Mode | REPEATED | ||
Description | Domains extracted from link URLs in the message body |
Field name | message_info.message_set | ||
Type | RECORD | ||
Mode | REPEATED | ||
Description |
Message set type that the message belongs to. Go to message_info.message_set.type for more information. |
Field name | message_info.message_set.type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Message set types are attributes that describe the message. For example, if the message was inbound, outbound, or internal. Possible values: 1: Message is inbound (received from outside your domains). This message set doesn’t appear with message set 10. 2: Message is outbound (sent to a recipient outside your domains). This message set doesn’t appear with message set 10. 4: Message contains objectionable content, as defined by one of your policies 6: Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains 7: Gmail classified the message as spam 8: Message being sent (outgoing message) 9: Message being received (incoming message) 10: Message that is internal to your domains 11: Message has a sender or recipients outside your domains. For received messages: If message set 27 is missing, the sender couldn't be authenticated. The message is treated as having a sender outside your domain. 12: Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:
13: The type of the message set is unknown 15: The policy being checked against is tied to a Gmail user 18: Message doesn’t have a default route 19: The address list you configured for domain default routing matches the correspondent of the message 20: Message is from an address in your blocked senders list 21: Message was sent over TLS and the SSL certificate is valid. 22: Message was sent over TLS 24: The recipient of this message is unknown 25: Message is a non-delivery report responding to a message that was not delivered 26: Message triggered a rerouting rule, which you configured in domain default routing 27: Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn’t authenticated, the sender domain is untrusted and the message is not considered internal. 28: Exchange journal is archiving the message to Google Vault 29: Message was routed through SMTP relay 30: A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing 31: Message matched a domain default routing condition you configured 32: Message was created from an Exchange journal message for archiving to Google Vault. 33: Message has to be transmitted through a secure connection, such as TLS 34: The policy being checked against is tied to a group instead of an individual Gmail user 35: Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time. 36: Message has aggressive spam filtering enabled 37: Message is authenticated for SMTP relay 39: Sender is from an authenticated domain for relay 40: Message is from a Google Workspace user in the domain being authenticated for relay 41: Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain 42: Message was sent from an address that isn’t authenticated 43: Message was rerouted through an alias table 44: Message triggered a rule that changes the route of the mail flow 45: Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it. 46: Message bypassed the spam filter 47: Message was detected to be spam by tag-and-deliver information in the inbound gateway settings 48: Message was not checked for spam (by SMTP) due to a spam-override policy 49: Always override spam rejection for the message 50: Message matches a domain routing condition you configured 51: Message triggered a rerouting rule that you configured for domain routing 55: Message was created by the Exchange Journal generation setting 57: Message was received from an inbound gateway rule that you configured 60: Message is protected with Gmail confidential mode 61: Message was received by Security sandbox 62: The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message 63: Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing |
Field name | message_info.num_message_attachments | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description | Number of message attachments |
Field name | message_info.payload_size | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description | Size of the message payload, in bytes |
Field name | message_info.post_delivery_info | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | Information about the post-delivery event. It is set only when the message_info.action_type value is 71. |
Field name | message_info.post_delivery_info.action_type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Post-delivery action type. Possible values: 1: Message opened for the first time 2: Message marked as unread 3: Message replied 4: Message forwarded 5: Message auto-forwarded by a Gmail setting 6: Message moved to inbox 7: Message moved to trash 8: Message moved out of trash 9: A link in the message body was clicked 10: One or more message attachments were downloaded 11: A link in an attachment was clicked when the attachment was previewed 12: One or more message attachments were saved to Google Drive 13: A link in the add-on was clicked 14: One or more Google Drive items in the message were downloaded 15: One or more Google Drive items in the message were saved to the recipient's Google Drive 16: A classification label was applied to or changed for the message 17: A classification label was applied to or changed for message attachments 18: Message archived 19: Message permanently deleted 20: One or more message attachments were previewed 21: Eecipient blocked the message sender 22: Message saved as draft 23: Message viewed, including first and following readings 24: Message downloaded |
Field name | message_info.post_delivery_info.interaction | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | Information about the user's interaction with message links, Drive items, or attachments. The type of interaction is indicated by the message_info.post_delivery_info.action_type. |
Field name | message_info.post_delivery_info.interaction.link_url | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | The URL associated with the interaction, which is set set only for link click interactions |
Field name | message_info.post_delivery_info.interaction.drive_id | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | The unique ID of the Google Drive item associated with the interaction. This ID is used to access the item in Drive. This field is set only for Drive attachment interactions. |
Field name | message_info.post_delivery_info.interaction.attachment | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | The target attachments of the interaction, which are set only for attachment interactions. For example, if the user selects only one attachment to download, this field contains information for the selected attachment only. If the user selects Download all attachments, this field contains information for all attachments. |
Field name | message_info.post_delivery_info.interaction.attachment.file_extension_type |
Type | STRING |
Mode | NULLABLE |
Description | File extension (not MIME part type), not including the period |
Field name | message_info.post_delivery_info.interaction.attachment.file_name |
Type | STRING |
Mode | NULLABLE |
Description | Attachment file name |
Field name | message_info.post_delivery_info.interaction.attachment.malware_family | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Malware type, if malware is detected during message handling. If no malware is detected, this field is not set. Possible values: 1: Known malicious program type of malware 2: Virus or worm type of malware 3: Possible harmful message content 4: Possible unwanted message content 5: Other type of malware |
Field name | message_info.post_delivery_info.interaction.attachment.sha256 | ||
Type | RECORD | ||
Mode | NULLABLE | ||
Description | SHA256 hash of the attachment |
Field name | message_info.post_delivery_info.data_classification |
Type | RECORD |
Mode | NULLABLE |
Description | Information of the email classification. It is set if message_info.post_delivery_info.action_type value is 16 or 17. |
Field name | message_info.post_delivery_info.data_classification.classified_entity |
Type | INTEGER |
Mode | NULLABLE |
Description |
Entity type that was classified. Possible values: 1: Message body 2: Attachment |
Field name | message_info.post_delivery_info.data_classification.event_type |
Type | INTEGER |
Mode | NULLABLE |
Description |
Classification event type. Possible values: 1: Label changed 2: Label newly applied 3: Label removed |
Field name | message_info.post_delivery_info.data_classification.labels |
Type | RECORD |
Mode | NULLABLE |
Description | Classification labels on the entity after the classification event happened |
Field name | message_info.post_delivery_info.data_classification.labels.field_value_display_name |
Type | STRING |
Mode | NULLABLE |
Description | Label display name |
Field name | message_info.post_delivery_info.data_classification.previous_labels |
Type | RECORD |
Mode | NULLABLE |
Description | Classification labels on the entity before the classification event happened |
Field name | message_info.post_delivery_info.data_classification.previous_labels.field_value_display_name |
Type | RECORD |
Mode | NULLABLE |
Description | Previous label's display name |
Field name | message_info.rfc2822_message_id |
Type | STRING |
Mode | NULLABLE |
Description | RFC 2822 message ID for the message. To see this, select Show Original for the Gmail message. |
Field name | message_info.smime_content_type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
The top-level S/MIME type of a message, indicated by the Content-Type: header. Possible values: 0: Message does not have a recognized S/MIME Content-Type 1: An S/MIME message with a detached signature, indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature 2: An S/MIME message with an opaque signature, indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data 3: An S/MIME message that is encrypted, indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data 4: An S/MIME message that is compressed, indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data |
Field name | message_info.smime_encrypt_message |
Type | BOOLEAN |
Mode | NULLABLE |
Description |
For outbound messages only. When set and true, indicates the message should be encrypted. |
Field name | message_info.smime_extraction_success |
Type | BOOLEAN |
Mode | NULLABLE |
Description |
When set, indicates that inbound S/MIME processing occurred. Not set if skipped. The value indicates the completion status. Note: Currently not set. |
Field name | message_info.smime_packaging_success |
Type | BOOLEAN |
Mode | NULLABLE |
Description |
For outbound messages only. When set, indicates that S/MIME packaging was attempted. Not set if skipped. The value indicates the completion status. |
Field name | message_info.smime_sign_message |
Type | BOOLEAN |
Mode | NULLABLE |
Description | For outbound messages only. When set and true, indicates message should be signed. |
Field name | message_info.smtp_relay_error | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
If Gmail rejects an SMTP relay request, this error code provides information about the cause of the rejection. Possible values: 1: Authentication error 2: Daily rate limit exceeded 3: Peak rate limit exceeded 4: Abuse of SMTP relay 5: Per-user rate limit exceeded |
Field name | message_info.source |
Type | RECORD |
Mode | NULLABLE |
Description | Information about the sender |
Field name | message_info.source.address |
Type | STRING |
Mode | NULLABLE |
Description | Email address of the sender |
Field name | message_info.source.from_header_address |
Type | STRING |
Mode | NULLABLE |
Description | From: header address as it appears in the message headers, for example, [email protected] |
Field name | message_info.source.from_header_displayname |
Type | STRING |
Mode | NULLABLE |
Description |
From: header display name as it appears in the message headers, for example, John Doe. This field might be truncated if the log is too long or if there are too many triggered rules (triggered_rule_info) in the log. |
Field name | message_info.source.selector |
Type | STRING |
Mode | NULLABLE |
Description |
A subcategory of the source server. For value descriptions, go to message_info.source.service. |
Field name | message_info.source.service | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Type | STRING | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mode | NULLABLE | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description |
The source service for the message. Use these two fields to determine which service sent the message and why the message was generated.
|
Field name | message_info.spam_info |
Type | RECORD |
Mode | NULLABLE |
Description | Spam classification information |
message_info.spam_info.classification_reason
Type | INTEGER | Mode | NULLABLE |
---|---|---|---|
Description |
Reason the message was classified as spam, phishing, or other classification. Possible values: 1: Default spam classification reason 2: Message classified because of sender's past actions 3: Suspicious content 4: Suspicious link 5: Suspicious attachment 6: Custom policy defined in Google Workspace Gmail settings 7: DMARC 8: Domain in public RBLs 9: RFC standards violation 10: Gmail policy violation 11: Machine learning verdict 12: Sender reputation 13: Blatant spam 14: Advanced phishing and malware protection |
Field name | message_info.spam_info.classification_timestamp_usec |
Type | INTEGER |
Mode | NULLABLE |
Description | Message spam classification timestamp |
Field name | message_info.spam_info.disposition |
Type | INTEGER |
Mode | NULLABLE |
Description |
The outcome of the Gmail spam classification. Possible values: 1: Not spam or malware 2: Spam 3: Phishing 4: Suspicious 5: Malware |
Field name | message_info.spam_info.ip_whitelist_entry |
Type | STRING |
Mode | NULLABLE |
Description | The IP whitelist entry that informed the classification, when the message is classified by a custom rule in Gmail settings |
Field name | message_info.structured_policy_log_info |
Type | RECORD |
Mode | NULLABLE |
Description | Structured information about policies that were evaluated for the message, including information about journaling and detected file types |
Field name | message_info.structured_policy_log_info.detected_file_types |
Type | RECORD |
Mode | REPEATED |
Description | Information about file types |
Field name | message_info.structured_policy_log_info.detected_file_types.category | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
MIME type category. Possible values: 1: Unrecognized file type 2: Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted. 3: Video and multimedia, for example, MPEG, Quicktime, or WMV 4: Music and audio, for example, MP3, AAC, and WAV 5: Images, for example, JPEG, BMP, or GIF 6: Archives, for example, ZIP, TAR, or TGZ 7: Executables, for example EXE, COM, or JS 8: Encryped Office documents 9: Office documents that aren't encrypted |
Field name | message_info.structured_policy_log_info.detected_file_types.mime_type |
Type | STRING |
Mode | NULLABLE |
Description | File MIME type |
Field name | message_info.structured_policy_log_info.exchange_journal_info |
Type | RECORD |
Mode | NULLABLE |
Description | Information about Exchange journaling of the message |
Field name | message_info.structured_policy_log_info.exchange_journal_info.recipients |
Type | STRING |
Mode | REPEATED |
Description | Domain recipients for the journaled message known to Google |
Field name | message_info.structured_policy_log_info.exchange_journal_info.rfc822_message_id |
Type | STRING |
Mode | NULLABLE |
Description | RFC 822 message ID of the journaled message |
Field name | message_info.structured_policy_log_info.exchange_journal_info.timestamp |
Type | INTEGER |
Mode | NULLABLE |
Description | The timestamp of the journaled message, in seconds |
Field name | message_info.structured_policy_log_info.exchange_journal_info.unknown_recipients |
Type | STRING |
Mode | REPEATED |
Description | Domain recipients unknown to Google for the journaled message |
Field name | message_info.subject | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Message subject.This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big. |
Field name | message_info.triggered_rule_info | ||
Mode | RECORD | ||
Type | REPEATED | ||
Description | Information about policy rules triggered for the message |
Field name | message_info.triggered_rule_info.consequence | ||
Type | RECORD | ||
Mode | REPEATED | ||
Description | Information about a consequence applied to the message due to the triggered rule |
Field name | message_info.triggered_rule_info.consequence.action | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Action taken for the consequence. Possible values: 0: Consequence is a no-op 3: Put message in Admin Quarantine 4: Modify the primary delivery target 5: Add a delivery target 6: Added a message header 7: Overwrite the envelope recipient 9: Add message to specified message set 10: Modify the message labels 11: Prefix text to message subject 12: Add a footer to the message 13: Strip the message body 14: Store a copy of the message in the user’s mailbox, according to comprehensive mail storage setting 15: Replace attachment with canned text 16: Require secure message delivery 17: Message can’t be delivered and bounced 18: Archive to Google Vault for recipients 20: Encrypt outbound message using S/MIME 21: Change the recipient user when message is received at SMTP |
Field name | message_info.triggered_rule_info.consequence.reason |
Type | STRING |
Mode | NULLABLE |
Description | Reason the consequence was applied. Usually contains the unique description of a rule that triggered the consequence. |
Field name | message_info.triggered_rule_info.consequence.subconsequence |
Type | RECORD |
Mode | REPEATED |
Description | Information about a sub-consequence of the primary consequence |
Field name | message_info.triggered_rule_info.consequence.subconsequence.action |
Type | INTEGER |
Mode | NULLABLE |
Description | Action taken for the sub-consequence. Go to consequence action for a description of possible values. |
Field name | message_info.triggered_rule_info.consequence.subconsequence.reason | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description | Reason the sub-consequence was applied. Usually contains the unique description of a rule that triggered the consequence. |
Field name | message_info.triggered_rule_info.policy_holder_address |
Type | STRING |
Mode | NULLABLE |
Description | Email address of the policyholder whose policy triggered the rules |
Field name | message_info.triggered_rule_info.rule_name |
Type | STRING |
Mode | NULLABLE |
Description | Custom rule description entered in the Admin console |
Field name | message_info.triggered_rule_info.rule_type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Custom rule type. Possible values: 0: Walled garden 7: Objectionable content 8: Content compliance 10: Received mail routing 11: Sent mail routing 12: Spam override 14: Blocked senders 15: Append footer 16: Attachment compliance 17: TLS compliance 18: Domain default routing 19: Inbound email journal acceptance in Vault 20: Outbound relay 21: Quarantine summary 22: Alternate secure route 23: Alias table 24: Comprehensive mail storage 25: Routing rule 26: Inbound gateway 27: S/MIME 28: Third-party email archiving |
Field name | message_info.triggered_rule_info.spam_label_modifier | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Describes the custom rule spam classification results. Possible values: 0: No action—The rule honored the Gmail spam classification outcome 1: Spam—The rule classified the message as spam 2: Not spam—the rule classified the message as not spam |
Field name | message_info.triggered_rule_info.string_match |
Type | RECORD |
Mode | REPEATED |
Description | The rule was triggered because of a string match. For example, a content compliance rule that contains the information about the string matches. |
Field name | message_info.triggered_rule_info.string_match.attachment_name |
Type | STRING |
Mode | NULLABLE |
Description |
Name of the attachment where a matching string was found in the text extracted from a binary file. Note: This field is currently not populated. |
Field name | message_info.triggered_rule_info.string_match.match_expression | ||
Type | STRING | ||
Mode | NULLABLE | ||
Description |
Match expression set in the Admin console. This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big. |
Field name | message_info.triggered_rule_info.string_match.matched_string |
Type | STRING |
Mode | NULLABLE |
Description |
String that triggered the rule. Sensitive information is hidden by * or . This field might be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too large. |
Field name | message_info.triggered_rule_info.string_match.predefined_detector_name |
Type | STRING |
Mode | NULLABLE |
Description | If this was a match of predefined detectors, indicates the name of the predefined detector |
Field name | message_info.triggered_rule_info.string_match.source |
Type | INTEGER |
Mode | NULLABLE |
Description |
Location of the string matched in the message. Possible values: 0: Unknown 1: Message body, including text format attachments 2: Binary format attachments 3: Message headers 4: Subject 5: Sender header 6: Recipient header 7: Raw message |
Field name | message_info.triggered_rule_info.string_match.type | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Type of match. Possible values:
|
Field name | message_info.upload_error_category | ||
Type | INTEGER | ||
Mode | NULLABLE | ||
Description |
Error encountered while uploading the message to the destination. Possible values:
|
Field name | resource_details |
Field type | REPEATED |
Description | Empty, or exactly 1 element describing a message and the labels associated with the message |
Field name | resource_details.id |
Field type | STRING |
Description | RFC 2822 message ID of the message. Set only when the message has labels. |
Field name | resource_details.title |
Field type | STRING |
Description | Message subject. Set only set when the message has labels. |
Field name | resource_details.type |
Field type | STRING |
Description | Always EMAIL for Gmail events |
Field name | resource_details.applied_labels |
Field type | REPEATED |
Description | Describes labels associated with the message |
Field name | resource_details.applied_labels.id |
Field type | STRING |
Description | Label ID |
Field name | resource_details.applied_labels.title |
Field type | STRING |
Description | Label title |
Field name | resource_details.applied_labels.field_values |
Field type | REPEATED |
Description | Label fields description |
Field name | resource_details.applied_labels.field_values.id |
Field type | STRING |
Description | Field ID |
Field name | resource_details.applied_labels.field_values.display_name |
Field type | STRING |
Description | Field display name |
Field name | resource_details.applied_labels.field_values.type |
Field type | STRING |
Description | Always SELECTION because Gmail currently supports only a selection field |
Field name | resource_details.applied_labels.field_values.selection_value |
Field type | RECORD |
Description | Selection field choice |
Field name | resource_details.applied_labels.field_values.selection_value.id |
Field type | STRING |
Description | Choice ID |
Field name | resource_details.applied_labels.field_values.selection_value.display_name |
Field type | STRING |
Description | Choice display name |
Field name | resource_details.applied_labels.field_values.selection_value.badged |
Field type | BOOLEAN |
Description | Indicates whether the choice is badged |