Restrict email messages to authorized addresses or domains only

By default, people in your Google Workspace organization can exchange email messages with any email address. However there may be times when you want to restrict the addresses or domains your users can exchange messages with. For example, a school might want to allow students to exchange messages with faculty, staff, and other students, but not with people outside of the school.

To limit messages to authorized addresses and domains, use the Restrict delivery setting on the Compliance settings page.

Keep in mind for restricted delivery

When you use the Restrict delivery settings to restrict message delivery, keep in mind:

  • Incoming messages: Users can receive messages only from addresses or domains you authorize with this setting. Messages sent from other domains or addresses are returned to the sender with a bounce message that describes the policy. Messages from domains that can't be verified with DKIM or SPF are also rejected.
  • Outgoing messages: People in your organization who try to send messages to an unauthorized domain get a bounce message stating why their message was not sent. You can provide custom text for the bounce message.
  • Internal email: To allow internal messages between users within your organization, use the Bypass this setting for internal messages option. Internal messages between your organization domains, including parent domains and subdomains, bypass this setting.
  • Google Chat: You can manage how people chat with people outside your organization, visit Set external chat options.
  • Google Docs Editors: The Restrict delivery setting blocks notifications messages from Google services, for example Gmail messages about Google Docs comments. To prevent this, set up Gmail to bypass this setting for internal messages. 
  • Google Groups: If you let people in your organization post to Groups, they might be able to bypass your Restrict delivery settings.

Set up message restrictions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. On the left, select an organizational unit. The new setting applies to everyone in the organizational unit, and you can set up different restrictions for different units.

  4. Scroll to the Restrict delivery setting and click Configure or Add another rule.

  5. In the Add setting box, take these steps:
     
    Setting options What to do
    Restrict delivery Enter a descriptive name for the setting. You must enter a name to save your setting.
    Add addresses or domains that you want to allow

    Select one or more existing address lists, or create one or more new address lists.

    Select one or more address lists that contains the addresses or domains that you allow for email messages. Address lists let you apply Gmail settings to specific email addresses or domains. The address list you select for this setting should include the allowed email addresses and domains.

    Important: Gmail checks against the "From:" part of the message header, not the envelope sender (or Return-path: section of the message header). So, the From: sender must exactly match an address or domain in the address list.

    Edit the default rejection notice for these messages.

    Enter a custom rejection notice. People in your organization who try to send messages to an unauthorized domain or address get a bounce email with this notice.

    To allow bounce messages, add [email protected] to your list of allowed senders. Bounce messages are sent from this address.

    Options

    To let internal messages bypass this setting, check the Bypass this setting for internal messages box.

    SPF or DKIM must authenticate internal messages to bypass this setting. Internal messages that aren't authenticated are rejected.

  6. At the bottom of the Add setting box, click Save. Changes can take up to 24 hours but typically happen more quickly. Learn more
    You can track changes in the Admin console audit log.

Related topics

Restrict S/MIME messages to authorized addresses or domains

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
2455195453830165220
true
Search Help Center
true
true
true
true
true
73010
false
false