Can G Suite Admin Read My Email?

When I was recently working on a G Suite deployment project, customer asked me if its possible to watch users emails, So I did some research and testing to find if its really possible.

Author – Goldy Arora – G Suite Certified Consultant

So Can G Suite Admin Read My Email?

Google allows G Suite administrators to monitor and audit users emails. An Administrator may use Google Vault, Content Compliance rules, Audit API or Email delegation to view and audit users emails. It is recommend for G Suite Administrators to consider their local laws before performing email auditing on their users mailboxes.

Learn how google apps admin can login as another user

Monitor Your Users Emails in G Suite via Content compliance Rule

In this video (or article below), i’ll show you how you can get bcc copy of your users/employees emails without knowing their G Suite password.

You should be a G Suite Administrator, and must be using G Suite Basic, Business, Government, Education or Enterprise edition as it does not work for G Suite Free.

Article Overview-:

  • In this article you will see how being a G Suite Administrator you can get a copy of your users sent and received emails without knowing their passwords or putting forwarding in their mailboxes
  • Note-: This option is primarily meant for auditing, you need to keep your country law and organizational policy in mind before attempting this method of getting access to your users emails.
  • For any feedback or query, feel free to write me

Scenario -:

  • For auditing purpose you would like to track incoming and/or outgoing (including intra-domain) emails of one or all of your Google Apps users, without asking or changing their password or putting a forwarding rule in their mailboxes

Solution Explanation-:

  • To achieve this, you will create a server side rule in G Suite (formerly Google Apps) which you can apply on either one user, or an OU or even at all users
  • This rule will state, that any message which contain in the message header, then send its copy to the id which you define

System Requirements-:

  • This solution will only work with Basic, Business, Education and Government edition of G Suite (Google Apps), and not with free edition

Step 1 - Login to G Suite Control Panel

To achieve this, we need to login to our G Suite admin console, watch the video to see 3 possible ways to access admin console.

I assume you have administration permission to perform this task, if not, then you can watch this tutorial to see how to become G Suite Administrator or delegated administrator.

Note -: If you haven’t signed up for G Suite yet, you may consider using G Suite Promo Code to save 20%.

Step 2 - Navigate to APPS

Once you are logged into G Suite Control Panel, click on APPS icon from the Dashboard.

Click on Apps in G suite control panel
Navigate and click on Gmail

Step 3 - Go to Gmail

As we will be applying a server side to our Gmail application, which will get us bcc copy of all sent and received emails of our users

Click on the GMAIL icon as shown in the screenshot

Step 4 - Click on Advance Settings

The rule we want to apply is a part of Gmail advance settings, go ahead and click on it

Click on Advanced settings in g suite admin console

Step 5 - Select Organization Unit

If you want to receive bcc copy of all the users in your domain, you can select the parent organization unit.

If you want to apply it on a specific function such as sales or accounting OR even only on a few users, you may create a new organizational unit and put required users in it, here are instructions by Google for it.

After selecting right orgnaizational unit, scroll down to find “Content Compliance” and click on “Configure” as shown in the screenshot below

Step 6 - Define Rule's Scope

Adding a description for your rule is recommended to ensure other administrators in your domain can refer to it and understand this rule’s objective in your absence

Select which emails you want to get as bcc for users, you can select any or all including inbound, outbound, internal sending or recieving, for the sake of this example, am only considering inbound and outbound, and not the intradoamin ones.

Step 7 - Define the expression

Lets define our condition, think of it like IF/Else statement-:

  1. Select “If any of the following match the message”
  2. Click on “Add” to add a condition statement
  3. Click on “Advance Content Match”
  4. Location should be “Full Headers”
  5. Match Type should be “Contain Text”
  6. Content should be “” (you need to change to your actual domain name)
  7. Save your condition

Explanation -: In this step, we have created a condition (IF statement) stating if “” is found in the message header, then match the condition, now if your users either send or receive message through their corporate id, will surely be there in the headers, as its not possible to send/receive without it from/to their corporate id, however if your requirement is a bit complex, you may also use regex expressions to define your criteria.

Step 8 - Who should get bcc?

  1. Scroll down and click on “Add more recipients”
  2. Click on Advance
  3. Checkbox “Change Envelope Recipient”
  4. Select “replace envelope recipient”
  5. Enter the email id on which you would like to get bcc copy
  6. Scroll below and follow the next step in this article

Step 9 - Prepend subject (recommended)

  1. In this step, we’ll define a way to separate these bcc emails from your regular ones, so you can easily identify them and filter/label them if required.

    1. Click on “Prepend subject”
    2. Add any thing you would like to prepend in the subject of these bcc emails, for example {{BCC}}
    3. Now all theses bcc copies that you’ll get will have {{BCC}} in front of the subject line, which will help you make filter in Gmail and put them under a label/folder.
    4. Save your changes

Step 10 - Done!

Congratulations, you will now get a bcc copy of your users in the mailbox you put in your condition as shown in above example)

feel free to put comments if you have any questions or feedback.

G Suite user email auditing FAQ

Here are details about some additional ways by which a G Suite admin can monitor and audit users emails. if you don’t find the answer, feel free to ask in the comments below.

G Suite Admin can not directly access users emails, however, Yes, he has following options to look at any users emails-:

(i) Google Vault -: 

G Suite has different plans, and one of them is called “G Suite for Business” which comes an application called “Google Vault“, which saves a copy of all users emails, on the record chat, group messages, files in Google Drive and Team Drive.

So even if a user deletes his/her email or a file in Google Drive, you can login to Google Vault as an Admin and search for users emails.

Please note -: above vault based solution to access your users email will not work with G Suite basic plan as Google does not vault with it.

(ii) Email Delegation -: 

G Suite offers an email delegation feature where you a user can delegate his or her gmail mailbox to someone (e.g a CXO delegating to executive assistant), this is usually done by a user, however G Suite Admin can also do it via Google’s Email Settings API without even users noticing it.

Note-: Though G Suite Admins can setup email delegation behind the scenes, if you are a user you can go to your delegation settings (Gmail –> Settings –> Accounts –> Grant Access to your account) and check if their account is delegated to someone and can delete the delegation too.

(iii) G Suite Content Compliance Rule -: 

G Suite Admin can also setup a rule in admin console to trigger a bcc copy of all (or required) users email as shown in the video tutorial above, and this solution works with all G Suite paid plans.

(iv) G Suite Admin Audit API -: 

In case if your requirement is not fulfilled by above solutions, you may consider putting a custom solution based on your needs with G Suite Email Audit API. You also don’t need to start from scratch here, if you know a bit of Google Apps Script, you can use this OAuth 2 library to easily use Audit API within Apps Script.

NO, You can NOT login to any of your G Suite users account even if you have super administrator rights.

Only way to do that is to first reset user’s password and then use that password to login to user account, but user can easily figure that out as he / she won’t be able to login with the old password.

So if you are a G Suite Admin and really want to monitor your users emails, consider the solutions mentioned above.

I have been working with G Suite partners and all my employers use G Suite (formerly Google Apps) for email and collaboration.

I have this same question, and after asking a few of my employers and doing a bit of googling, I honestly don’t have a clear answer on it.

Some people say that when you work for a business, its assumed that you are using business assets and they retain the rights to look into anything if required.

Also, because am not a legal expert, I won’t really comment on this, but if you are a user, don’t hesitate to read your employment contract, look at your state and/or country laws, or even reach out to your employer (I did this) to ask it.

I have seen cases where due to legal investigation G Suite Admins put a legal hold on concerned user’s email box (in Google Vault), so regardless of all, if you are a G Suite user, my recommendation would be to use your Gmail assuming that your employer can access your emails.

20 thoughts on “How your employer can access your emails without password”

  1. Hi, thanks for the great tutorial. Sadly it didn’t work for me. I tried using paid GSuite basic.
    I just don’t get any email to the inbox I’ve specified. Any ideas?
    thanks again.

  2. Hi Goldy,

    what happens if your vacation responder is on. haha just did a test a noticed it popped up onto senders email lol

  3. Hi

    After setting this up, it seems that delivery of emails stopped happening or was taking longer than usual.

    Any reason this would happen

    1. It shouldn’t slow down the delivery (at least not at all to the noticeable level).

      can’t say why email delivery is stopped unless have more information, but if follow this guide as shown, it should not impact email delivery other than sending bcc copy to concerned one/s.

      if you get stuck, send me an email at help with the screencapture of your settings, and i’ll try to look at it.

  4. Hi this did not seem to work…I have the GSuite basic plan. Any thoughts as to why it wouldn’t have worked? Thank you!

  5. Isn’t it illegal to read your employees/coworkers emails? Did you write a step-by-step blog about how to break the law?

  6. Hi Goldy, thank you for the wonderful guide. I have a question, If I checked the encryption (onward delivery only) Require secure transport (TLS). I cant seem to receive the mail forward to my email. I’m testing it by sending from my yahoo email to my user gmail. Oh perhaps, i have to uncheck for the TLS?

    Best Regards,

    1. Your welcome Victor.
      Be default Gmail attempts to deliver via TLS, but in absence of TLS (at recipient server), it delivers via smtp.
      So Yes, if you choose TLS option, then Google will “enforce” TLS only delivery, if TLS is not available, then it’ll not deliver the message.

  7. Hi Goldy. Does the ability to read emails only apply to those sent after you set this up? If so, is there a way to see past emails?

    1. Hi Sandra, thats correct, you can see the emails after applying this rule, to see past emails you have following options-:
      1. If you are on G Suite Business edition and have enabled Google Vault (Archiving and compliance solution which comes with G Suite business), you can then login to and search for any user’s emails.

      2. (Programmatically) If you are the administrator, you can create a script which would use domain wide delegation, so you can impersonate any user and and get their emails based on a few methods available in GmailApp class as mentioned here –>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top