Monitor Your Users Emails in G Suite
In this video (or article below), i’ll show you how you can get bcc copy of your users/employees emails without knowing their passwords in G Suite (Google Apps).
You should be a G Suite Administrator, and must be using G Suite Basic, Business, Government, Education or Enterprise edition as it does not work for G Suite Free.
Article Overview-:
- In this article you will see how being a G Suite Administrator you can get a copy of your users sent and received emails without knowing their passwords or putting forwarding in their mailboxes
- Note-: This option is primarily meant for auditing, you need to keep your country law and organizational policy in mind before attempting this method of getting access to your users emails.
- For any feedback or query, feel free to write me
Scenario -:
- For auditing purpose you would like to track incoming and/or outgoing (including intra-domain) emails of one or all of your Google Apps users, without asking or changing their password or putting a forwarding rule in their mailboxes
Solution Explanation-:
- To achieve this, you will create a server side rule in G Suite (formerly Google Apps) which you can apply on either one user, or an OU or even at all users
- This rule will state, that any message which contain @yourdomain.com in the message header, then send its copy to the id which you define
System Requirements-:
- This solution will only work with Basic, Business, Education and Government edition of G Suite (Google Apps), and not with free edition
Step 1 - Login to G Suite Control Panel
To achieve this, we need to login to our G Suite admin console, watch the video to see 3 possible ways to access admin console.
Note-: I assume you have administration permission to perform this task, if not, then you can watch this tutorial to see how to become G Suite Administrator or delegated administrator.
Step 2 - Navigate to APPS
Once you are logged into G Suite Control Panel, click on APPS icon from the Dashboard.
Step 3 - Go to Gmail
As we will be applying a server side to our Gmail application, which will get us bcc copy of all sent and received emails of our users
Click on the GMAIL icon as shown in the screenshot
Step 4 - Click on Advance Settings
The rule we want to apply is a part of Gmail advance settings, go ahead and click on it
Step 5 - Select Organization Unit
If you want to receive bcc copy of all the users in your domain, you can select the parent organization unit.
If you want to apply it on a specific function such as sales or accounting OR even only on a few users, you may create a new organizational unit and put required users in it, here are instructions by Google for it.
After selecting right orgnaizational unit, scroll down to find “Content Compliance” and click on “Configure” as shown in the screenshot below
Step 6 - Define Rule's Scope
Adding a description for your rule is recommended to ensure other administrators in your domain can refer to it and understand this rule’s objective in your absence
Select which emails you want to get as bcc for users, you can select any or all including inbound, outbound, internal sending or recieving, for the sake of this example, am only considering inbound and outbound, and not the intradoamin ones.
Step 7 - Define the expression
Lets define our condition, think of it like IF/Else statement-:
- Select “If any of the following match the message”
- Click on “Add” to add a condition statement
- Click on “Advance Content Match”
- Location should be “Full Headers”
- Match Type should be “Contain Text”
- Content should be “yourdomainanme.com” (you need to change yourdomainname.com to your actual domain name)
- Save your condition
Explanation -: In this step, we have created a condition (IF statement) stating if “@yourdomain.com” is found in the message header, then match the condition, now if your users either send or receive message through their corporate id, @yourdomain.com will surely be there in the headers, as its not possible to send/receive without it from/to their corporate id, however if your requirement is a bit complex, you may also use regex expressions to define your criteria.
Step 8 - Who should get bcc?
- Scroll down and click on “Add more recipients”
- Click on Advance
- Checkbox “Change Envelope Recipient”
- Select “replace envelope recipient”
- Enter the email id on which you would like to get bcc copy
- Scroll below and follow the next step in this article
Step 9 - Prepend subject (recommended)
In this step, we’ll define a way to separate these bcc emails from your regular ones, so you can easily identify them and filter/label them if required.
- Click on “Prepend subject”
- Add any thing you would like to prepend in the subject of these bcc emails, for example {{BCC}}
- Now all theses bcc copies that you’ll get will have {{BCC}} in front of the subject line, which will help you make filter in Gmail and put them under a label/folder.
- Save your changes
Step 10 - Done!
Congratulations, you will now get a bcc copy of your users in the mailbox you put in your condition as shown in above example)
feel free to put comments if you have any questions or feedback.
Hi Goldy. Does the ability to read emails only apply to those sent after you set this up? If so, is there a way to see past emails?
Hi Sandra, thats correct, you can see the emails after applying this rule, to see past emails you have following options-:
1. If you are on G Suite Business edition and have enabled Google Vault (Archiving and compliance solution which comes with G Suite business), you can then login to ediscovery.google.com and search for any user’s emails.
2. (Programmatically) If you are the administrator, you can create a script which would use domain wide delegation, so you can impersonate any user and and get their emails based on a few methods available in GmailApp class as mentioned here –> https://developers.google.com/apps-script/reference/gmail/