When I was recently working on a Google Workspace deployment project, customer asked me if its possible to watch users emails, So I did some research and testing to find if its really possible.
Author – Goldy Arora – Google Workspace Certified Consultant
Google allows Google Workspace administrators to monitor and audit users emails. An Administrator may use Google Vault, Content Compliance rules, Audit API or Email delegation to view and audit users emails. It is recommend for Google Workspace Administrators to consider their local laws before performing email auditing on their users mailboxes.
In this video (or article below), i’ll show you how you can get bcc copy of your users/employees emails without knowing their Google Workspace password.
You should be a Google Workspace Administrator, and must be using Google Workspace Basic, Business, Government, Education or Enterprise edition as it does not work for Google Workspace Free.
Article Overview-:
Scenario -:
Solution Explanation-:
System Requirements-:
To achieve this, we need to login to our Google Workspace admin console, watch the video to see 3 possible ways to access admin console.
I assume you have administration permission to perform this task, if not, then you can watch this tutorial to see how to become Google Workspace Administrator or delegated administrator.
Note -: If you haven’t signed up for Google Workspace yet, you may consider using Google Workspace Promo Code to save 20%.
Once you are logged into Google Workspace Control Panel, click on APPS icon from the Dashboard.
As we will be applying a server side to our Gmail application, which will get us bcc copy of all sent and received emails of our users
Click on the GMAIL icon as shown in the screenshot
The rule we want to apply is a part of Gmail advance settings, go ahead and click on it
If you want to receive bcc copy of all the users in your domain, you can select the parent organization unit.
If you want to apply it on a specific function such as sales or accounting OR even only on a few users, you may create a new organizational unit and put required users in it, here are instructions by Google for it.
After selecting right orgnaizational unit, scroll down to find “Content Compliance” and click on “Configure” as shown in the screenshot below
Adding a description for your rule is recommended to ensure other administrators in your domain can refer to it and understand this rule’s objective in your absence
Select which emails you want to get as bcc for users, you can select any or all including inbound, outbound, internal sending or recieving, for the sake of this example, am only considering inbound and outbound, and not the intradoamin ones.
Lets define our condition, think of it like IF/Else statement-:
Explanation -: In this step, we have created a condition (IF statement) stating if “@yourdomain.com” is found in the message header, then match the condition, now if your users either send or receive message through their corporate id, @yourdomain.com will surely be there in the headers, as its not possible to send/receive without it from/to their corporate id, however if your requirement is a bit complex, you may also use regex expressions to define your criteria.
In this step, we’ll define a way to separate these bcc emails from your regular ones, so you can easily identify them and filter/label them if required.
Congratulations, you will now get a bcc copy of your users in the mailbox you put in your condition as shown in above example)
feel free to put comments if you have any questions or feedback.
Google Workspace Admin can not directly access users emails, however, Yes, he has following options to look at any users emails-:
Google Workspace has different plans, and one of them is called “Google Workspace for Business” which comes an application called “Google Vault“, which saves a copy of all users emails, on the record chat, group messages, files in Google Drive and Team Drive.
So even if a user deletes his/her email or a file in Google Drive, you can login to Google Vault as an Admin and search for users emails.
Please note -: above vault based solution to access your users email will not work with Google Workspace basic plan as Google does not vault with it, however it can be purchased additionally as shown in Google Vault Pricing guide here.
Google Workspace offers an email delegation feature where you a user can delegate his or her gmail mailbox to someone (e.g a CXO delegating to executive assistant), this is usually done by a user, however Google Workspace Admin can also do it via Gmail API without even users noticing it.
Note-: Though Google Workspace Admins can setup email delegation behind the scenes, if you are a user you can go to your delegation settings (Gmail –> Settings –> Accounts –> Grant Access to your account) and check if their account is delegated to someone and can delete the delegation too.
Google Workspace Admin can also setup a rule in admin console to trigger a bcc copy of all (or required) users email as shown in the video tutorial above, and this solution works with all Google Workspace paid plans.
In case if your requirement is not fulfilled by above solutions, you may consider putting a custom solution based on your needs with Google Workspace Email Audit API. You also don’t need to start from scratch here, if you know a bit of Google Apps Script, you can use this OAuth 2 library to easily use Audit API within Apps Script.
NO, You can NOT login to any of your Google Workspace users account even if you have super administrator rights.
Only way to do that is to first reset user’s password and then use that password to login to user account, but user can easily figure that out as he / she won’t be able to login with the old password.
So if you are a Google Workspace Admin and really want to monitor your users emails, consider the solutions mentioned above.
I have been working with Google Workspace partners and all my employers use Google Workspace (formerly Google Apps) for email and collaboration.
I have this same question, and after asking a few of my employers and doing a bit of googling, I honestly don’t have a clear answer on it.
Some people say that when you work for a business, its assumed that you are using business assets and they retain the rights to look into anything if required.
Also, because am not a legal expert, I won’t really comment on this, but if you are a user, don’t hesitate to read your employment contract, look at your state and/or country laws, or even reach out to your employer (I did this) to ask it.
I have seen cases where due to legal investigation Google Workspace Admins put a legal hold on concerned user’s email box (in Google Vault), so regardless of all, if you are a Google Workspace user, my recommendation would be to use your Gmail assuming that your employer can access your emails.
© 2022 All rights reserved
Made with love for Google Workspace:)
