Can Google Workspace Admin Read My Email?

When I was recently working on a Google Workspace deployment project, customer asked me if its possible to watch users emails, So I did some research and testing to find if its really possible.

Author – Goldy Arora – Google Workspace Certified Consultant

So Can Google Workspace Admin Read My Email?

Google allows Google Workspace administrators to monitor and audit users emails. An Administrator may use Google Vault, Content Compliance rules, Audit API or Email delegation to view and audit users emails. It is recommend for Google Workspace Administrators to consider their local laws before performing email auditing on their users mailboxes.


Can Google Workspace Admin read my email?
Play Video

Monitor Your Users Emails in Google Workspace via Content compliance Rule

In this video (or article below), i’ll show you how you can get bcc copy of your users/employees emails without knowing their Google Workspace password.

You should be a Google Workspace Administrator, and must be using Google Workspace Basic, Business, Government, Education or Enterprise edition as it does not work for Google Workspace Free.

Article Overview-:

  • In this article you will see how being a Google Workspace Administrator you can get a copy of your users sent and received emails without knowing their passwords or putting forwarding in their mailboxes
  • Note-: This option is primarily meant for auditing, you need to keep your country law and organizational policy in mind before attempting this method of getting access to your users emails.
  • For any feedback or query, feel free to write me

Scenario -:

  • For auditing purpose you would like to track incoming and/or outgoing (including intra-domain) emails of one or all of your Google Apps users, without asking or changing their password or putting a forwarding rule in their mailboxes

Solution Explanation-:

  • To achieve this, you will create a server side rule in Google Workspace (formerly Google Apps) which you can apply on either one user, or an OU or even at all users
  • This rule will state, that any message which contain @yourdomain.com in the message header, then send its copy to the id which you define

System Requirements-:

  • This solution will only work with Basic, Business, Education and Government edition of Google Workspace (Google Apps), and not with free edition

Step 1 - Login to Google Workspace Control Panel

To achieve this, we need to login to our Google Workspace admin console, watch the video to see 3 possible ways to access admin console.

I assume you have administration permission to perform this task, if not, then you can watch this tutorial to see how to become Google Workspace Administrator or delegated administrator.

Note -: If you haven’t signed up for Google Workspace yet, you may consider using Google Workspace Promo Code to save 20%.

Step 2 - Navigate to APPS

Once you are logged into Google Workspace Control Panel, click on APPS icon from the Dashboard.

Click on Apps in G suite control panel
Navigate and click on Gmail

Step 3 - Go to Gmail

As we will be applying a server side to our Gmail application, which will get us bcc copy of all sent and received emails of our users

Click on the GMAIL icon as shown in the screenshot

Step 4 - Click on Advance Settings

The rule we want to apply is a part of Gmail advance settings, go ahead and click on it

Click on Advanced settings in g suite admin console
Step 5 Select Parent or Child organizational unit as re

Step 5 - Select Organization Unit

If you want to receive bcc copy of all the users in your domain, you can select the parent organization unit.

If you want to apply it on a specific function such as sales or accounting OR even only on a few users, you may create a new organizational unit and put required users in it, here are instructions by Google for it.

After selecting right orgnaizational unit, scroll down to find “Content Compliance” and click on “Configure” as shown in the screenshot below

Step 6 - Define Rule's Scope

Adding a description for your rule is recommended to ensure other administrators in your domain can refer to it and understand this rule’s objective in your absence

Select which emails you want to get as bcc for users, you can select any or all including inbound, outbound, internal sending or recieving, for the sake of this example, am only considering inbound and outbound, and not the intradoamin ones.

Step 6 Define the applicability of your rule whether i
Step 7

Step 7 - Define the expression

Lets define our condition, think of it like IF/Else statement-:

  1. Select “If any of the following match the message”
  2. Click on “Add” to add a condition statement
  3. Click on “Advance Content Match”
  4. Location should be “Full Headers”
  5. Match Type should be “Contain Text”
  6. Content should be “yourdomainanme.com” (you need to change yourdomainname.com to your actual domain name)
  7. Save your condition

Explanation -: In this step, we have created a condition (IF statement) stating if “@yourdomain.com” is found in the message header, then match the condition, now if your users either send or receive message through their corporate id, @yourdomain.com will surely be there in the headers, as its not possible to send/receive without it from/to their corporate id, however if your requirement is a bit complex, you may also use regex expressions to define your criteria.

Step 8 - Who should get bcc?

  1. Scroll down and click on “Add more recipients”
  2. Click on Advance
  3. Checkbox “Change Envelope Recipient”
  4. Select “replace envelope recipient”
  5. Enter the email id on which you would like to get bcc copy
  6. Scroll below and follow the next step in this article
add more receipients 1 1030x849 1
save the bcc rule 1 1030x933 1

Step 9 - Prepend subject (recommended)

  1. In this step, we’ll define a way to separate these bcc emails from your regular ones, so you can easily identify them and filter/label them if required.

    1. Click on “Prepend subject”
    2. Add any thing you would like to prepend in the subject of these bcc emails, for example {{BCC}}
    3. Now all theses bcc copies that you’ll get will have {{BCC}} in front of the subject line, which will help you make filter in Gmail and put them under a label/folder.
    4. Save your changes

Step 10 - Done!

Congratulations, you will now get a bcc copy of your users in the mailbox you put in your condition as shown in above example)

feel free to put comments if you have any questions or feedback.

Google Workspace user email auditing FAQ

Here are details about some additional ways by which a Google Workspace admin can monitor and audit users emails. if you don’t find the answer, feel free to ask in the comments below.

Google Workspace Admin can not directly access users emails, however, Yes, he has following options to look at any users emails-:

(i) Google Vault (Read My Complete Google Vault Guide here) -: 

Google Workspace has different plans, and one of them is called “Google Workspace for Business” which comes an application called “Google Vault“, which saves a copy of all users emails, on the record chat, group messages, files in Google Drive and Team Drive.

So even if a user deletes his/her email or a file in Google Drive, you can login to Google Vault as an Admin and search for users emails.

Please note -: above vault based solution to access your users email will not work with Google Workspace basic plan as Google does not vault with it, however it can be purchased additionally as shown in Google Vault Pricing guide here.

(ii) Email Delegation -: 

Google Workspace offers an email delegation feature where you a user can delegate his or her gmail mailbox to someone (e.g a CXO delegating to executive assistant), this is usually done by a user, however Google Workspace Admin can also do it via Gmail API without even users noticing it.

Note-: Though Google Workspace Admins can setup email delegation behind the scenes, if you are a user you can go to your delegation settings (Gmail –> Settings –> Accounts –> Grant Access to your account) and check if their account is delegated to someone and can delete the delegation too.

(iii) Google Workspace Content Compliance Rule -: 

Google Workspace Admin can also setup a rule in admin console to trigger a bcc copy of all (or required) users email as shown in the video tutorial above, and this solution works with all Google Workspace paid plans.

(iv) Google Workspace Admin Audit API -: 

In case if your requirement is not fulfilled by above solutions, you may consider putting a custom solution based on your needs with Google Workspace Email Audit API. You also don’t need to start from scratch here, if you know a bit of Google Apps Script, you can use this OAuth 2 library to easily use Audit API within Apps Script.

NO, You can NOT login to any of your Google Workspace users account even if you have super administrator rights.

Only way to do that is to first reset user’s password and then use that password to login to user account, but user can easily figure that out as he / she won’t be able to login with the old password.

So if you are a Google Workspace Admin and really want to monitor your users emails, consider the solutions mentioned above.

I have been working with Google Workspace partners and all my employers use Google Workspace (formerly Google Apps) for email and collaboration.

I have this same question, and after asking a few of my employers and doing a bit of googling, I honestly don’t have a clear answer on it.

Some people say that when you work for a business, its assumed that you are using business assets and they retain the rights to look into anything if required.

Also, because am not a legal expert, I won’t really comment on this, but if you are a user, don’t hesitate to read your employment contract, look at your state and/or country laws, or even reach out to your employer (I did this) to ask it.

I have seen cases where due to legal investigation Google Workspace Admins put a legal hold on concerned user’s email box (in Google Vault), so regardless of all, if you are a Google Workspace user, my recommendation would be to use your Gmail assuming that your employer can access your emails.

RECOMMENDED READING

As you just read How your employer can access your emails without password, I would recommend following as complimentary reading.
Gmail Forwarding Filter - Forward selective emails in Gmail
GmailGoogle Workspace

Gmail Forwarding Filter Setup – Forward selective emails in Gmail

Read More →
migrate gmail filters
GmailGoogle Workspace

Migrate Gmail Filters from Gmail account to another

Read More →
Save-money-on-Google-Workspace

Google Workspace Promotion Code + 9 ways to save upto 65% on Google Workspace

Read More →

78 thoughts on “How your employer can access your emails without password”

  1. Hi goldy,
    I need to add my company logo in append footer feature in Google Workspace but it is not happening as it is expecting me to insert image as link – http://, can you provide me any workaround for this issue.

  2. Hi Goldy, I couldn’t find the content compliance anymore. Looks like the menu has been removed. Could you advise how can I access the menu? Thank you.

  3. Hi Goldy,

    I submitted a comment but screwed it up. Re-submitting…

    First off, thanks for your instructional, it is great and I have checked out some of your others through the links at the bottom of your page.

    Need some help – I followed the instructions to a “T” but it is only partially working.

    It worked in this scenario: I accepted a calendar invite that someone sent to me and I received a {{BCC}} email. Note, the sender information on that email looks like this: “name@domain.com”.

    However, it did not work in this scenario: when an email was sent to a user in my organization, I did not receive a {{BCC}} email. Note, the sender information on that email looks like this: “First Name Last Name “. The rule we set up seems to not be picking up the “@domain.com” because it is inside “”. Theoretically it should be working because the rule we set up said if the Full Header contained text = “@domain.com” then bcc. But it is not working.

    Any idea on what I need to do here?

    Also, how do I exclude myself from this setup. In other words, I do not want to get a {{BCC}} email for every email that I send/receive. I just want to get it for all other users in my organization.

    Thank you!

  4. Hi Goldy,

    Great article, I wish there was something like this for every Google feature!

    I have a quick question. I followed your instructions and it is working – partially.

    It works in this instance: I accepted a calendar invite so I received a {{BCC}} email so it worked great. NOTE: the sender is “name@domain.com”.

    BUT, it does not work in this instance: when a user in my organization sends or receives an email from their account, the sender is listed as “First Name Last Name “. I am not getting a {{BCC}} email. It seems that it should still work because “@domain.com” is text contained in the full header. But no cigar.

    Not sure what to change, any help is appreciated.

    1. Goldy – PLEASE REFER TO THIS POST NOT THE PREVIOUS ONE

      Hi Goldy,

      Great article, I wish there was something like this for every Google feature!

      I have a quick question. I followed your instructions and it is working – partially.

      It works in this instance: I accepted a calendar invite so I received a {{BCC}} email so it worked great. NOTE: the sender is “name@domain.com”.

      BUT, it does not work in this instance: when a user in my organization sends or receives an email from their account, the sender is listed as “First Name Last Name “. It seems that it should still work because “@domain.com” is text contained in the full header. But no cigar, I am not getting a {{BCC}} email.

      Not sure what to change, any help is appreciated.

  5. I’m sorry. I’m still confused. So, I really need to see the interactions between one of my former employees and the clients he reached out to. Can I see, download, backup, or import his mail archive?

    1. I guess what I’m saying is that it’s clear from your blog post that this can be done for incoming and outgoing email. Can it be done for the email that already exists though (email already sent and received in the past)?

  6. Ignatz Ratzkiwatzki

    This was working well until I had to remove a user from the relevant organization unit. Now it’s stopped working for all users in that unit. Do you have suggestions for trouble shooting?

  7. Hi there

    Thanks for great article, we want to intercept all emails and check the content for malicious links, how can we do that?
    My initial thought was bcc all emails to a new email account like audit@mydomain.com, then by Audit Api, auditing that account, but I am afraid it works, because we should keep getting a new auth token every 24 hours.

    Do you have any suggestion?

    1. Google does a pretty good job of detecting and handling malicious links, I would rather suggest you to leverage controls provided by Google than trying to build something custom.

      Try the safety settings in Google workspace admin console –> Apps –> Gmail, more info here https://support.google.com/a/answer/9157861?hl=en

      You can also then also look at the reports provided under admin console –> security –> dashboard –> spam filter malware.

  8. Hi Goldy, thank you for the wonderful guide.
    Is there any way to deliver my employee’s original emails to my inbox if I was cc’ed already?
    Following your instruction, all emails including myself is already copied in the loop have been delivering {BCC} folder.

  9. Hello! I loved your article. Is it possible for me as an admin to download my employee’s emails to reference back for data and other legal purposes?

    1. I would recommend you to go for Google Vault as it is meant for such e-discovery use cases, more information here
      https://www.goldyarora.com/google-vault-guide/
      Also, it works retroactively, so if you enable it today, it will also cover your employees old emails which exist today in their mailboxes.

      However, for some reason, if you don’t want to go with Google Vault, then consider the Audit API option as explained in this article.

  10. I think I am being monitored. I don’t even know what addition of Gmail I have. I did notice the library 2 in apps. If I find out someone’s been monitoring my personal phone can I bring charges on them and who do you go to do so, the police? Is there a company I can hire to check my email out instead of all this research. I’d just like to say after all this technology Is think it’s best to talk to the person face to face. With all this capability who could trust anything sent in an email. As stated above you can get fake emails. So an article on how to protect myself would be better.

  11. Hi Goldy!

    Great article! I stumbled across this while trying to find a solution to auditing usage of the smtp relay service.

    We have some 3rd parties whose IPs have been added to the whitelist and I want to audit what email address they are sending mail on behalf of. Really wish Google Workspace had better options to lock this function down. I’m nervous about having a rogue user at the 3rd party sending mail on behalf of our executives etc.

    I know it’s off topic but would love your thoughts.

    Thanks!
    Brad

  12. Reading through your delegation section, there’s a link that references Google’s API (it’s under your “(ii)” section). That link’s page says “Email Settings API (deprecated)”. Do you find this to be true? Is Delegation not possible anymore?
    Secondly, I’m assuming that an API is the only way to setup Delegation — or has that changed and I (and admin) can delegate one user’s box to another–think Administrative Assistant to a VP?
    Thanks for the help.

  13. Is there a way to just see what the user’s email password is? It seems a lot easier and I would like to be able to monitor one of my employee’s emails.

    Thanks!

  14. Hi,

    Thanks for the great article. I think it’s similar with catchall setting with additional recipients. However, is there any ways to make sure that another administrator doesn’t realize it when he/she looks into the Audit > email log search and check the delivery/recipient list?

  15. Hi Goldy
    Could you please advise if I being a G suite admin , can I send an email from the user’s id , that is ,using user’s I’d

    Please reply
    Thanks

    1. My assumption is that you want to do this without letting the user know?
      if yes, It is possible, but not within the user interface, it’ll need you to impersonate that user using service account with domain wide delegation and using Gmail API.

    2. Great article Goldy!

      Is there any way to see if a gsuite admin as employed any of these tactics? (e.g., an audit trail or report)

      Thanks!

  16. Hi Goldy, Thanjs for your great article! We are 2 administrators in G-Suite and I would like to see past emails of one admin. There is no super admin. Will he be notified if I change the configurations like in your video to see emails?
    My second question is:: If I change the password to the main domain (I own it and he has no access), will G-Suite still work? When we first installed G-Suite, I punched in my password to the main domain for setup. I don‘t know if G-Suite is somehow linked with the main domain and if I change my password of the main domain do you know if G-Suite will still work? Or will it inform the other admin that a new password has been set? Thank you so much for your help! 🙂

    1. on your first question
      I don’t think Google Workspace has this covered under system or custom alerts, so other admin won’t be notified, he can see it in the admin console if has permission that you have this rule in place.

      Also, this would only give you bcc for the “now onwards” emails, not the past ones, for past ones, you have following options-:
      1. Run Investigation from security center if you are on the Google Workspace enterprise plan.
      2. Run Google Vault investigation if you are on the business plan.
      3. Run Email Audit via Audit API if you are on G suite basic plan.

      on your second question
      I didn’t understand this question, but with main domain password, if you meant the first account that you created when signing up for Google Workspace (which automatically becomes Google Workspace super admin), then no, it won’t impact your Google Workspace as it is just like another Google Workspace account.
      and that other person.

      You other delegated admin would be notified of this only if he has a password changed alert in there.

  17. Hi Goldy, Thanjs for your great article! We are 3 administrators in G-Suite and I would like to see past emails of one admin. Will he be notified if I change the configurations like in your video to see emails?
    My second question is:: If I change the password to the main domain (I own it on domain.com and he has no access), will G-Suite still work? When we first installed G-Suite, I punched in my password to the main domain for setup. I don‘t know if G-Suite somehow goes through the main domain and if I change my password, G-Suite might not work anymore.

  18. After trying this, my Sent folders on the accounts are now showing two copies of every email – I assume the original version and the BBC version. Did I miss something?

  19. i have one doubt is admin can access my hangout with out my password ?
    access means send message, delete or creating group like that not audit.

  20. I recently discovered that GSuite also allows Administrators to take a backup of the entire GSuite dataset for your organisation, including mailboxes for each user (referred to as data export). The mailboxes are in .mbox format and may be opened by an email client such as outlook or Thunderbird. At the time (Dec) it was not possible to exclude user mailboxes from the data export.

    1. You are right Kevin, though it was possible in the past via Audit API where you run exports on mailboxes, and let it loop for the required users, however now, it is available within the Google Workspace admin console user interface.

      Also, couple of notes-:
      1. It is only available in the console if you have less than 1000 users, otherwise you would need to contact Google support to enable it.
      2. This data export can be run after 30 days of your last export.

  21. Jeffrey W. Baker

    How could this be unclear? A Google Workspace admin can route all of their domain’s mail through any mail relay service. They don’t need to do any of the stuff in this yard-long article. They just need the relay, they will receive all emails for all accounts.

    1. 1. This article is yard long because it shows “how to” part of it, those who only need a summarize version of it do not need to keep scrolling, answer is in the first para.

      2. Setting up relay server is not “just”, it also means more efforts and money than what is shown in this article-:
      — more efforts –> you would need to setup your relay server which accepts messages sent from Google Workspace.
      — more money –> to make it work, you would need to ensure your relay server is up and running 24*7, which means a lot of cost

      So, i will not recommend going for relay server especially when you are using Google Workspace and all you need is to get a bcc copy of your user/s emails.

      3. Communication is two way, simply looking at the answer does not make it right or wrong unless you have context of the question along with understanding of its audience.

      1. Such an intelligent retort Goldy! Done with more professionalism than Mr. Baker deserved. The great majority on here appreciate the time you spend on our behalf…all free I might add. Jeffrey needs to go back to the circus. I hear they’re looking for Clowns! 🤡

  22. Hi, Goldy. Thanks for the great article.
    I am wondering if a admin can use API to get the employee mail. For example by using service.users().messages().list API.

  23. Hi, I followed the steps and it worked for one account but not the other. Is there a reason why it only worked for one user’s email account?

    1. It indicates that your trigger has a condition which is applicable for only one email id, make sure it should be applied on (i) whole domain by putting @yourdomain.com in checking the headers and (ii) it should be applied on the tenant not on a dedicated Org unit.

  24. Thanks for this Goldy.
    If a user receives a confidential email accidentally sent to his inbox, can an admin delete the email from the user’s inbox?

    1. Your welcome Dennis.
      Yes, a Google Workspace admin can delete emails from users mailboxes in following ways-:
      1. If you are on Google Workspace Enterprise SKU, you can search for objectionable emails from Admin Console –> Security Investigation as I show in the video here
      https://youtu.be/dTDcwWo51ms

      2. If you are on other (e.g Google Workspace basic or business sku), you can use Gmail API and impersonate users to delete emails from their accounts.
      https://developers.google.com/gmail/api/v1/reference/users/messages/delete

      Hope it helps.

  25. Hi Goldy, I want to monitor my team’s inboxes. But I can’t find a way to do it. Can you please guide me through ?

  26. Hi, thanks for the great tutorial. Sadly it didn’t work for me. I tried using paid GSuite basic.
    I just don’t get any email to the inbox I’ve specified. Any ideas?
    thanks again.

  27. Hi Goldy,

    what happens if your vacation responder is on. haha just did a test a noticed it popped up onto senders email lol

  28. Hi

    After setting this up, it seems that delivery of emails stopped happening or was taking longer than usual.

    Any reason this would happen

    1. It shouldn’t slow down the delivery (at least not at all to the noticeable level).

      can’t say why email delivery is stopped unless have more information, but if follow this guide as shown, it should not impact email delivery other than sending bcc copy to concerned one/s.

      if you get stuck, send me an email at help @goldyarora.com with the screencapture of your settings, and i’ll try to look at it.

  29. Hi this did not seem to work…I have the GSuite basic plan. Any thoughts as to why it wouldn’t have worked? Thank you!

  30. Isn’t it illegal to read your employees/coworkers emails? Did you write a step-by-step blog about how to break the law?

  31. Hi Goldy, thank you for the wonderful guide. I have a question, If I checked the encryption (onward delivery only) Require secure transport (TLS). I cant seem to receive the mail forward to my email. I’m testing it by sending from my yahoo email to my user gmail. Oh perhaps, i have to uncheck for the TLS?

    Best Regards,
    Victor

    1. Your welcome Victor.
      Be default Gmail attempts to deliver via TLS, but in absence of TLS (at recipient server), it delivers via smtp.
      So Yes, if you choose TLS option, then Google will “enforce” TLS only delivery, if TLS is not available, then it’ll not deliver the message.

  32. Hi Goldy. Does the ability to read emails only apply to those sent after you set this up? If so, is there a way to see past emails?

    1. Hi Sandra, thats correct, you can see the emails after applying this rule, to see past emails you have following options-:
      1. If you are on Google Workspace Business edition and have enabled Google Vault (Archiving and compliance solution which comes with Google Workspace business), you can then login to ediscovery.google.com and search for any user’s emails.

      2. (Programmatically) If you are the administrator, you can create a script which would use domain wide delegation, so you can impersonate any user and and get their emails based on a few methods available in GmailApp class as mentioned here –> https://developers.google.com/apps-script/reference/gmail/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top