Schema for Gmail logs in BigQuery

When you load data into a table or create an empty table in BigQuery, you must specify a schema. The schema in this article defines and describes the fields associated with Gmail logs in BigQuery.

Learn how to specify and modify schemas in BigQuery.

To streamline your BigQuery tasks and let you manage all your BigQuery data in one place, we’re merging Gmail logs in BigQuery with Workspace logs and reports in BigQuery, starting in February 2023. You’ll manage BigQuery logs and reports for all your Workspace services in the same place in your Google Admin console. We recommend that you migrate your Gmail BigQuery views, queries, and scripts to Workspace logs and reports in BigQuery as soon as possible. For detailed steps, go to Migrate Gmail logs in BigQuery to Workspace logs in BigQuery.

Schema updates

We occasionally update the schema in this article. When new fields are added to the template table, the next daily table generated from the template has the new fields. If you want to query new fields, query daily tables generated after the template was updated.

Gmail Schema

event_info

Type RECORD Mode REQUIRED
Description General information of the event

event_info.elapsed_time_usec

Type INTEGER Mode NULLABLE
Description Total time duration of the event, in microseconds

event_info.success

Type BOOLEAN Mode REQUIRED
Description

True if the event was successful, otherwise false

For example, the value is false if the message was rejected by a policy.

event_info.timestamp_usec

Type INTEGER Mode REQUIRED
Description Time when this event started, in the form of a UNIX timestamp, in microseconds

message_info

Type RECORD Mode NULLABLE
Description General information about the message

message_info.action_type

Type INTEGER Mode NULLABLE
Description

The action this event represents.

Value

Description

1

Message received by inbound SMTP server.

2

Message accepted by Gmail and prepared for delivery. This step usually follows 1, or is the first step if you send from Gmail. For incoming messages, policies with reject dispositions are usually evaluated here. For example, an attachment compliance policy that rejects incoming messages. See also 68.

3

Message was handled by Gmail. For example, delivered to a Gmail mailbox or sent to another server. This step usually follows 2. Policies with dispositions other than reject are evaluated here. For example, an attachment compliance policy that strips attachments based on file type or other criteria.

10

Message sent out by outbound SMTP server.

14

A temporary error occurred when Gmail tried to deliver the message, and the message has been scheduled for retry. This is usually caused by external or internal servers that are temporarily unavailable. Retry later. For example, Gmail tried to deliver the message to an external SMTP server, but received temporary error.

18

Message could not be delivered and bounced. Sometimes you can find out what happened by reading message_info.description. Common reasons include:

  • The recipient server didn’t accept the request.

  • The message could not be delivered due to too many temporary errors (see 14).

  • The message was rejected due to a deferred policy evaluation.

  • The recipient is unrecognized and there’s no policy triggered to change the primary delivery route.

19

Message was dropped by Gmail. Common reasons include:

  • If a sent message triggers admin quarantine consequences, the original message is dropped and a copy of the message is added to the Admin Quarantine.

  • For a journaling message, the wrapped inner message is delivered but the original message is dropped.

  • For inbound messages, Gmail can block and drop messages if, for example:

    • The message is not compliant with RFC 5322.

    • The sender violates bulk senders guidelines.

  • If a policy removed the primary delivery route and added other routes, the original message is dropped and copies are delivered to the added routes.

  • If the recipient is an unrecognized address and there’s a policy that adds additional routes, the original message is dropped and copies are delivered to the added routes.
45 Message was accepted for delivery by the Google Groups subsystem.
46 Message's recipient address was a Google Group, and the recipient was expanded to each member of the Google Group that has message delivery enabled.

48

Message received by inbound SMTP server for relay.

49

Message sent through relay by outbound SMTP server.
51 Message was written to Google Groups storage.
54 Message was rejected by the Google Groups storage system.

55

Message was re-inserted into Gmail by policies that modify the primary delivery route or envelope recipient.

68

Message accepted by Gmail and prepared for delivery.

This is similar to 2, but the message was sent through a Gmail server.

69

A user changed the message’s spam classification in Gmail.

For example, a user marked it as spam, phishing, or not spam.

70

The message was reclassified as spam or phishing after it was delivered to Gmail.
71 A user took an action in the inbox after receiving the message. Post-delivery actions include opening a message, clicking a link in a message, and downloading an attachment. BigQuery export doesn't provide details about the action.

message_info.attachment

Type RECORD Mode REPEATED
Description

Information about the message’s attachments

This record is repeated for every attachment.

message_info.attachment.file_extension_type

Type STRING Mode NULLABLE
Description File extension (not mime part type), not including the period.

message_info.attachment.malware_family

Type INTEGER Mode NULLABLE
Description

Malware category, if detected when the message is handled. This field is unset if no malware is detected.

 

Value

Description

1

A known malicious program type of malware

2

A virus or worm type of malware

3

Possible harmful email content

4

Possible unwanted email content

5

Other type of malware

message_info.attachment.sha256

Type STRING Mode NULLABLE
Description SHA256 hash of the attachment

message_info.connection_info

Type RECORD Mode NULLABLE
Description Information about the connection the message was sent over

message_info.connection_info.authenticated_domain

Type RECORD Mode REPEATED
Description List of authenticated domain names and authentication mechanisms

message_info.connection_info.authenticated_domain.name

Type STRING Mode NULLABLE
Description Authenticated domain name

message_info.connection_info.authenticated_domain.type

Type INTEGER Mode NULLABLE
Description

Message authentication type (for example, SPF, DKIM).

Value

Description

1

SPF

2

DKIM

3

DKIM_PROXY

4

XOAR_SPF

5

XOAR_DKIM
6

ARC_SPF
7

ARC_DKIM

message_info.connection_info.client_host_zone

Type STRING Mode NULLABLE
Description Client host zone of the mail sender

message_info.connection_info.client_ip

Type STRING Mode NULLABLE
Description IP address of the mail client that started the message

message_info.connection_info.dkim_pass

Type BOOLEAN Mode NULLABLE
Description Indicates if the message was authenticated using at least one DKIM signature

message_info.connection_info.dmarc_pass

Type BOOLEAN Mode NULLABLE
Description Indicates if the message passed DMARC policy evaluation

message_info.connection_info.dmarc_published_domain

Type STRING Mode NULLABLE
Description Domain name used to evaluate the DMARC policy

message_info.connection_info.failed_smtp_out_connect_ip

Type STRING Mode REPEATED
Description List of all IPs in the remote MX record that Gmail attempted to connect to but failed

message_info.connection_info.ip_geo_city

Type STRING Mode NULLABLE
Description Nearest city computed based on the relay IP

message_info.connection_info.ip_geo_country

Type STRING Mode NULLABLE
Description ISO country code based on the relay IP

message_info.connection_info.is_internal

Type BOOLEAN Mode NULLABLE
Description Indicates if the message was sent within domains owned by the customer

message_info.connection_info.is_intra_domain

Type BOOLEAN Mode NULLABLE
Description Indicates if the message was sent within the same domain

message_info.connection_info.smtp_in_connect_ip

Type STRING Mode NULLABLE
Description Remote IP address for MTA client connections (inbound SMTP to Gmail)

message_info.connection_info.smtp_out_connect_ip

Type STRING Mode NULLABLE
Description Remote IP address for SMTP connections from Gmail

message_info.connection_info.smtp_out_remote_host

Type STRING Mode NULLABLE
Description For outgoing SMTP connections, the domain the message started from; the destination domain or the smarthost

message_info.connection_info.smtp_reply_code

Type INTEGER Mode NULLABLE
Description

SMTP reply code for inbound and outbound SMTP connections

Usually 2xx, 4xx, or 5xx.

message_info.connection_info.smtp_response_reason

Type INTEGER Mode NULLABLE
Description

Detailed reason for the SMTP reply code for inbound connections

Value

Description

1

Default reason messages are rejected or accepted

3

Malware

4

DMARC policy

5

Unsupported attachment (by Gmail)

6

Receive limit exceeded

7

Account over quota

8

Bad PTR record

9

Recipient doesn’t exist

10

Customer policy

12

RFC violation

13

Blatant spam

14

Denial of service

15

Malicious or spammy links

16

Low IP reputation

17

Low domain reputation

18

IP listed in public Real-time Blackhole List (RBL)
19 Temporarily rejected due to DoS limits
20 Permanently rejected due to DoS limits

 

message_info.connection_info.smtp_tls_cipher

Type STRING Mode NULLABLE
Description Name of the TLS cipher being used for secure connections to the SMTP server. Examples: AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, and DES-CBC3-SHA.

message_info.connection_info.smtp_tls_state

Type INTEGER Mode NULLABLE
Description

Type of connection made to the SMTP server. Only set for logs of events that explicitly handle SMTP connections.

Value

Description

0

Not TLS

1

TLS

message_info.connection_info.smtp_tls_version

Type STRING Mode NULLABLE
Description

Version of TLS being used for secure connections to the SMTP server (for example, TLSv1.2).

message_connection_info.smtp_user_agent_ip

Type STRING Mode NULLABLE
Description IP address of the mail user agent for inbound SMTP connections

message_info.connection_info.spf_pass

Type BOOLEAN Mode NULLABLE
Description Indicates if the message was authenticated with SPF

message_info.connection_info.tls_required_but_unavailable

Type BOOLEAN Mode NULLABLE
Description TLS is required for an outbound SMTP connection, but no valid certificate was present

message_info.description

Type STRING Mode NULLABLE
Description Human-readable description of what happened to the message

message_info.destination

Type RECORD Mode REPEATED
Description

Information about message recipients

This record is repeated for every recipient.

message_info.destination.address

Type STRING Mode NULLABLE
Description Email address of the recipient

message_info.destination.rcpt_response

Type INTEGER Mode NULLABLE
Description

Response of the SMTP RCPT command.

See message_info.connection_info.smtp_response_reason for an explanation of the values.

message_info.destination.selector

Type STRING Mode NULLABLE
Description

Subcategory for each service

See message_info.destination.service for an explanation of the values.

message_info.destination.service

Type STRING Mode NULLABLE
Description

The service at the message destination. There are many service and selector pairs for destinations. You can use these two fields to determine which service the message was sent to.

Service

Selector

Description

gmail-ui

sent-on-behalf-of-user

Message was sent to Gmail and a copy was kept in the user's Gmail Sent box.

gmail-ui

null

Message was sent to Gmail.

mailing-list-server

spam-check

Message was sent to Google Groups and was checked for spam.

mailing-list-server

null

Message was sent to Google Groups.

mailing-list-server

moderation

Message was sent to Google Groups and is pending administrator's moderation.

mailing-list-server

archive

Message was sent to Google Groups and is archived.

gmail-for-work-catchall

  

Message had unrecognized recipients and was delivered according to a catch-all rule.

smtp-outbound

gmail-delivery-server

Message was sent to outbound SMTP server and handled by Gmail delivery servers.

smtp-outbound

google-apps-for-work

Message was sent to outbound SMTP server and handled by Google Workspace Basic.

smtp-outbound

google-apps-for-work-starter

Message was sent to outbound SMTP server and handled by Google WorkspaceBasic.

smtp-outbound

gmail-notification

Message was sent to outbound SMTP server and handled by Gmail notification.

smtp-outbound

relay

Message was sent to outbound SMTP server and handled by Gmail relay servers.

smtp-outbound

gmail

Message was sent to outbound SMTP server.

smtp-outbound

gmail-for-work

Message was sent to outbound SMTP server and added by Gmail for business policies.

smtp-outbound

null

Message was sent to outbound SMTP server.
smtp-outbound-to-gmail gmail-delivery-server Message was sent to an outbound SMTP server, to a Gmail or Google Workspace  recipient.

message_info.destination.smime_decryption_success

Type BOOLEAN Mode NULLABLE
Description

For inbound messages only

When set, indicates that S/MIME decryption was attempted for this recipient.The value indicates the completion status. 

Not set if skipped

message_info.destination.smime_extraction_success

Type BOOLEAN Mode NULLABLE
Description

For inbound messages only

When set, indicates that S/MIME extraction was attempted for this recipient. The value indicates the completion status.

Not set if skipped

message_info.destination.smime_parsing_success

Type BOOLEAN Mode NULLABLE
Description

For inbound messages only

When set, indicates that S/MIME parsing was attempted for this recipient. The value indicates the completion status.

Not set if skipped

message_info.destination.smime_signature_verification_success

Type BOOLEAN Mode NULLABLE
Description

For inbound messages only

When set, indicates that S/MIME signature verification was attempted for this recipient. The value indicates the completion status.

Not set if skipped

message_info.flattened_destinations

Type STRING Mode NULLABLE
Description

String that has information of all recipient information flattened, in this format:
“service_for_recipient1:selector_for_recipient1:address_for_recipient1,
service_for_recipient2:selector_for_recipient2:address_for_recipient2”.

message_info.flattened_triggered_rule_info

Type STRING Mode NULLABLE
Description String that has information of all triggered rules, in JSON format

message_info.is_policy_check_for_sender

Type BOOLEAN Mode NULLABLE
Description

True if the policy rules were evaluated for the sender (the message was processed for outbound delivery)

False if the policy rules were evaluated for the recipient (the message was processed for inbound delivery)

message_info.is_spam

Type BOOLEAN Mode NULLABLE
Description True if the message was classified as spam

message_info.link_domain

Type STRING Mode REPEATED
Description Domains extracted from link URLs in the message body

message_info.message_set

Type RECORD Mode REPEATED
Description

Message set type that the message belongs to. See message_info.message_set.type.

message_info.message_set.type

Type INTEGER Mode NULLABLE
Description

Message set types are attributes that describe the message. For example, if the message was inbound, outbound, or internal.

Value

Description

1

Message is inbound (received from outside your domains). This message set doesn’t appear with message set 10.

2

Message is outbound (sent to a recipient outside your domains). This message set doesn’t appear with message set 10.
4 Message contains objectionable content, as defined by one of your policies.
6 Message triggered the walled garden rule you configured that restricts messages to authorized addresses or domains.

7

Gmail classified the message as spam.

8

Message being sent (outgoing message)

9

Message being received (incoming message)

10

Message that is internal to your domains

11

Message has a sender or recipients outside your domains.

For received messages: If message set 27 is missing, the sender couldn't be authenticated. The message is treated as having a sender outside your domain.

12

Message has some recipients inside your domain and some recipients outside your domain. This message set might appear when:

  • There are multiple recipients.

  • A message is being sent. For messages being received, recipients must all belong to the same domain.

  • Action type for the message is 2. Multi-recipient messages are split out into single-recipient messages.
13 The type of the message set is unknown.
15 The policy being checked against is tied to a Gmail user.
18 Message doesn’t have a default route.
19 The address list you configured for domain default routing matches the correspondent of the message.
20 Message is from an address in your blocked senders list.
21 Message was sent over TLS and the SSL certificate is valid.
22 Message was sent over TLS.
24 The recipient of this message is unknown.
25 Message is a non-delivery report responding to a message that was not delivered.
26 Message triggered a rerouting rule, which you configured in domain default routing.

27

Sender successfully passed SPF/DKIM/DMARC authentication. If the sender isn’t authenticated, the sender domain is untrusted and the message is not considered internal.
28 Exchange journal is archiving the message to Google Vault.
29 Message was routed through SMTP relay.
30 A recipient of the message matched one of the enumerated recipients (instead of a regular expression pattern) you configured for domain routing, or domain default routing.
31 Message matched a domain default routing condition you configured.
32

Message was created from an Exchange journal message for archiving to Google Vault.
33 Message has to be transmitted through a secure connection, such as TLS.
34 The policy being checked against is tied to a group instead of an individual Gmail user.
35 Message could not be authenticated in SMTP relay because it has an empty SMTP envelope-from address or is possibly an Exchange Journal message. It will be checked later at SMTP RCPT command time.
36 Message has aggressive spam filtering enabled.
37 Message is authenticated for SMTP relay.
39 Sender is from an authenticated domain for relay.
40 Message is from a Google Workspace user in the domain being authenticated for relay.
41

Sender has successfully authenticated with SMTP AUTH, and Gmail is trying to authenticate SMTP relay for the sender's domain.
42 Message was sent from an address that isn’t authenticated.
43 Message was rerouted through an alias table.
44 Message triggered a rule that changes the route of the mail flow.
45 Message is to a catch-all account and is being relayed to an on-premise server. System-of-record policies won't be applied to it.
46 Message bypassed the spam filter.

47

Message was detected to be spam by tag-and-deliver information in the inbound gateway settings.
48 Message was not checked for spam (by SMTP) due to a spam-override policy.
49 Always override spam rejection for the message.
50 Message matches a domain routing condition you configured.
51 Message triggered a rerouting rule that you configured for domain routing.
55 Message was created by the Exchange Journal generation setting.

57

Message was received from an inbound gateway rule that you configured.
60 Message is protected with Gmail confidential mode.
61 Message was caught by Security sandbox.
62 The address list you configured for domain default routing matches the SMTP envelope recipient instead of the correspondent of the message.
63 Message triggered a domain-level rerouting rule, which you configured for domain routing, or domain default routing

message_info.num_message_attachments

Type INTEGER Mode NULLABLE
Description Number of message attachments

message_info.payload_size

Type INTEGER Mode NULLABLE
Description Size of the message payload, in bytes

message_info.rfc2822_message_id

Type STRING Mode NULLABLE
Description RFC 2822 message ID for the message. To see this, select Show Original for the Gmail message.

message_info.smime_content_type

Type INTEGER Mode NULLABLE
Description

The top-level S/MIME type of a message, indicated by the Content-Type header.

Value

Description

0

Message does not have a recognized S/MIME Content-Type.

1

An S/MIME message with a detached signature

Indicated by content type multipart/signed with parameter protocol=application/pkcs7-signature.

2

An S/MIME message with an opaque signature

Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=signed-data.

3

An S/MIME message that is encrypted

Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=enveloped-data.

4

An S/MIME message that is compressed

Indicated by content type application/pkcs7-mime or application/x-pkcs7-mime with parameter smime-type=compressed-data.

message_info.smime_encrypt_message

Type BOOLEAN Mode NULLABLE
Description

For outbound messages only

When set and true, indicates the message should be encrypted.

message_info.smime_extraction_success

Type BOOLEAN Mode NULLABLE
Description

When set, indicates that inbound S/MIME processing occurred. Not set if skipped. The value indicates the completion status.

Note: Currently not set.

message_info.smime_packaging_success

Type BOOLEAN Mode NULLABLE
Description

For outbound messages only

When set, indicates that S/MIME packaging was attempted. Not set if skipped. The value indicates the completion status.

message_info.smime_sign_message

Type BOOLEAN Mode NULLABLE
Description

For outbound messages only

When set and true, indicates message should be signed.

message_info.smtp_relay_error

Type INTEGER Mode NULLABLE
Description

If Gmail rejects an SMTP relay request, this error code provides information about the cause of the rejection.

Value

Description

1

Authentication error

2

Daily rate limit was exceeded.

3

Peak rate limit was exceeded.

4

SMTP relay was abused.

5

Per-user rate limit was exceeded.

message_info.source

Type RECORD Mode NULLABLE
Description Information about the sender

message_info.source.address

Type STRING Mode NULLABLE
Description Email address of the sender

message_info.source.from_header_address

Type STRING Mode NULLABLE
Description From header address as it appears in the message headers, for example, [email protected]

message_info.source.from_header_displayname

Type STRING Mode NULLABLE
Description

From header display name as it appears in the message headers, for example, John Doe

Note: This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big.

message_info.source.selector

Type STRING Mode NULLABLE
Description

A subcategory of the source server

See message_info.source.service for value descriptions.

message_info.source.service

Type STRING Mode NULLABLE
Description

The source service for the message. Use these two fields to determine which service sent the message and why the message was generated.

Service

Selector

Description

calendar

send

Notifications from Google Calendar

gmail-ui

read-receipt

Gmail read-receipt feature

gmail-ui

autoforward

Gmail auto-forward feature

gmail-ui

unsubscribe

Gmail unsubscribe feature

gmail-ui

canned-response

Message sent by Gmail Canned Response feature

gmail-ui

vacation-response

Gmail vacation response feature

gmail-ui

send

Message sent from Gmail web UI.

docs

share

Sharing notification from Google Drive

groups

groups-ui

Message sent from Google Groups

keep

invites

Invitation email sent by Google Keep

mailing-list-server

custom-replies

Auto-replies from Google Groups

mailing-list-server

null

Sent from Google Groups

mailing-list-server

moderation

Sent from Google Groups moderation

mailing-list-server

to-archive

Sent from Google Groups archive

google-apps-script

user

Sent from Google Apps Script

mail-fetcher

null

Message pulled by Gmail Mail Fetcher

gmail-for-work

quarantine-delivery

Message released from the Quarantine Manager.

gmail-for-work

quarantine-notification

Non-delivery response sent to the original sender of a denied quarantined message.

gmail-for-work

policy

Message triggered a setting configured by the domain administrator.

gmail-for-work

comprehensive-mail-storage

Sent to Gmail servers due to a Comprehensive Mail Storage setting.

smtp-inbound

null

Message inserted from Google's SMTP servers to Gmail delivery pipeline.

smtp-msa

null

Message inserted from Google's SMTP servers (in authenticated mode) to the Gmail delivery pipeline.
smtp-relay relay Messages routed through the SMTP Relay setting.

smtp-relay

gmail-for-work

Messages routed through the SMTP Relay setting.

google-spreadsheets

google-forms-receipt

Notifications from Google Sheets

google-spreadsheets

google-forms-invite

Sharing invites from Google Sheets

unified-notifications

google-apps

Notification from Google Workspace

unified-notifications

null

Notification from a Google system

message_info.spam_info

Type RECORD Mode NULLABLE
Description Spam classification information

message_info.spam_info.classification_reason

Type INTEGER Mode NULLABLE
Description

Reason the message was classified as spam, phishing, or other classification.

Value

Description

1

Default spam classification reason

2

Message classified because of sender's past actions 

3

Suspicious content

4

Suspicious link

5

Suspicious attachment

6

Custom policy defined in Google Workspace Admin Console > Gmail settings

7

DMARC

8

Domain in public RBLs

9

RFC standards violation

10

Gmail policy violation

11

Machine learning verdict

12

Sender reputation

13

Blatant spam
14 Advanced phishing and malware protection

message_info.spam_info.classification_timestamp_usec

Type INTEGER Mode NULLABLE
Description Message spam classification timestamp

message_info.spam_info.disposition

Type INTEGER Mode NULLABLE
Description

The outcome of the Gmail spam classification

Value

Description

1

Message considered clean (not spam or malware)

2

Spam

3

Phishing

4

Suspicious

5

Malware

message_info.spam_info.ip_whitelist_entry

Type STRING Mode NULLABLE
Description

The IP whitelist entry that informed the classification, when the message is classified by a custom rule in Gmail settings.

message_info.structured_policy_log_info

Type RECORD Mode NULLABLE
Description Structured information about policies that were evaluated for the message. This includes information about journaling and detected file types.

message_info.structured_policy_log_info.detected_file_types

Type RECORD Mode REPEATED
Description Information about file types

message_info.structured_policy_log_info.detected_file_types.category

Type INTEGER Mode NULLABLE
Description

MIME type category

Value

Description

1

Unrecognized file type

2

Microsoft Office documents, including word processing, spreadsheet, presentation, and database documents. Includes PDF files. The file might or might not be encrypted.

3

Video and multimedia, for example, MPEG, Quicktime, WMV

4

Music and audio, for example,  MP3, AAC, WAV

5

Images, for example, JPEG, BMP, GIF

6

Archives, for example, ZIP, TAR, TGZ

7

Executables, for example EXE, COM, JS

8

Office documents that are encrypted.

9

Office documents that are not encrypted.

message_info.structured_policy_log_info.detected_file_types.mime_type

Type STRING Mode NULLABLE
Description MIME type of the file

message_info.structured_policy_log_info.exchange_journal_info

Type RECORD Mode NULLABLE
Description Information about Exchange journaling of the message

message_info.structured_policy_log_info.exchange_journal_info.recipients

Type STRING Mode REPEATED
Description Domain recipients for the journaled message known to Google

message_info.structured_policy_log_info.exchange_journal_info.rfc822_message_id

Type STRING Mode NULLABLE
Description RFC 822 message ID of the journaled message

message_info.structured_policy_log_info.exchange_journal_info.timestamp

Type INTEGER Mode NULLABLE
Description The timestamp of the journaled message, in seconds

message_info.structured_policy_log_info.exchange_journal_info.unknown_recipients

Type STRING Mode REPEATED
Description Domain recipients unknown to Google for the journaled message

message_info.subject

Type STRING Mode NULLABLE
Description Message subject. 

Note: This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big.

message_info.triggered_rule_info

Type RECORD Mode REPEATED
Description Information about policy rules triggered for the message

message_info.triggered_rule_info.consequence

Type RECORD Mode REPEATED
Description Information about a consequence applied to the message due to the triggered rule

message_info.triggered_rule_info.consequence.action

Type INTEGER Mode NULLABLE
Description

Action taken for the consequence

Value

Description

0

Consequence is a no-op

3

Put message in Admin Quarantine

4

Modify the primary delivery target

5

Add a delivery target

6

Added a message header

7

Overwrite the envelope recipient

9

Add message to specified message set

10

Modify the message labels

11

Prefix text to message subject

12

Add a footer to the message

13

Strip the message body

14

Store a copy of the message in the user’s mailbox, according to comprehensive mail storage setting.

15

Replace attachment with canned text

16

Require secure message delivery

17

Message can’t be delivered and bounced

18

Archive to Google Vault for recipients
20 Encrypt outbound message using S/MIME
21 Change the recipient user when message is received at SMTP.

message_info.triggered_rule_info.consequence.reason

Type STRING Mode NULLABLE
Description Reason the consequence was applied. Usually contains the unique description of a rule that triggered the consequence.

message_info.triggered_rule_info.consequence.subconsequence

Type RECORD Mode REPEATED
Description Information about a sub-consequence of the primary consequence

message_info.triggered_rule_info.consequence.subconsequence.action

Type INTEGER Mode NULLABLE
Description

Action taken for the sub-consequence

See consequence action for an description of possible values.

message_info.triggered_rule_info.consequence.subconsequence.reason

Type STRING Mode NULLABLE
Description Reason the sub-consequence was applied. Usually contains the unique description of a rule that triggered the consequence.

message_info.triggered_rule_info.policy_holder_address

Type STRING Mode NULLABLE
Description Email address of the policyholder whose policy triggered the rules

message_info.triggered_rule_info.rule_name

Type STRING Mode NULLABLE
Description Custom rule description provided by an administrator in the Admin Console

message_info.triggered_rule_info.rule_type

Type INTEGER Mode NULLABLE
Description

Custom rule type

Value

Description

0

Walled garden

7

Objectionable content

8

Content compliance

10

Received mail routing

11

Sent mail routing

12

Spam override

14

Blocked senders

15

Append footer

16

Attachment compliance

17

TLS compliance

18

Domain default routing

19

Inbound email journal acceptance in Vault

20

Outbound relay

21

Quarantine summary

22

Alternate secure route

23

Alias table

24

Comprehensive mail storage

25

Routing rule

26

Inbound gateway

27

S/MIME

28

Third-party email archiving
31 S/MIME restrict delivery

message_info.triggered_rule_info.spam_label_modifier

Type INTEGER Mode NULLABLE
Description

Describes the custom rule spam classification results

Value

Description

0

No action—the rule honored the Gmail spam classification verdict.

1

Spam—the rule classified the message as spam.

2

Not spam—the rule classified the message as not spam.

message_info.triggered_rule_info.string_match

Type RECORD Mode REPEATED
Description The rule was triggered because of a string match. For example, a content compliance rule that contains the information about the string matches.

message_info.triggered_rule_info.string_match.attachment_name

Type STRING Mode NULLABLE
Description

Name of the attachment where a matching string was found in the text extracted from a binary file.

Note: This field is currently not populated.

message_info.triggered_rule_info.string_match.match_expression

Type STRING Mode NULLABLE
Description

Match expression that an administrator set in the Admin Console.

Note: This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big.

 

message_info.triggered_rule_info.string_match.matched_string

Type STRING Mode NULLABLE
Description

String that triggered the rule. Sensitive information is hidden by * or .

Note: This field may be truncated if the log is too long, or the number of triggered rules (triggered_rule_info) in the log is too big.

message_info.triggered_rule_info.string_match.predefined_detector_name

Type STRING Mode NULLABLE
Description If this was a match of predefined detectors, shows the name of the predefined detector

message_info.triggered_rule_info.string_match.source

Type INTEGER Mode NULLABLE
Description

Location of the string matched in the message

Value

Description

0

Unknown

1

Message body, including text format attachments

2

Binary format attachments

3

Message headers

4

Subject

5

Sender header

6

Recipient header
7 Raw message

message_info.triggered_rule_info.string_match.type

Type INTEGER Mode NULLABLE
Description

Type of match

Value

Description

0

Undefined

1

Regular expression match

2

Predefined detector match

3

Simple content match

4

Non-ASCII match

message_info.upload_error_category

Type INTEGER Mode NULLABLE
Description

Error encountered while uploading the message to the destination

Value

Description

0

Uncategorized transient error

1

Recipient account is too busy

2

DNS error resolving recipient domain

3

Recipient’s server refused connection

4

Recipient is out of storage

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
902480131666867072
true
Search Help Center
true
true
true
true
true
73010
false
false