How does Front work with Google's DLP Compliance offering?

Edited

This is advanced material that requires a Google Workspace Admin and full understanding of how Google's advanced email routing can implement data loss prevention.


Overview

Gmail data loss prevention (DLP) lets you use predefined content detectors to scan email, locate sensitive data, and prevent leaking that data to unauthorized sources.  Google's support article on this topic is available here.


Impact

When Gmail detects sensitive content, admins will be able to configure one of three actions: reject, quarantine and modify.  This article will review how each of those actions impacts email in Front.  It's assumed that the address is connected to Front as a Gmail channel with 2-way sync enabled.

What happens if I utilize the “reject” option?

In Front, the experience will mirror Gmail's webmail.  If the message is inbound, Front won't receive a copy of the message.  If outbound, a bounceback email will be received in that Front inbox.  This would be similar to a non-delivery report (NDR) that Gmail creates for rejected message delivery in other circumstances.  Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. This is a requirement of the SMTP standard and can't be changed.

What happens if I utilize the “quarantine” option?

For inbound, Front won't receive the message until a quarantine admin approves delivery. For outbound, Google won't deliver the message to the recipient until an admin approves it.  If the admin rejects the message in quarantine, the result matches the reject option above.

What happens if I utilize the “modify” option?

Google Workspace can modify a number of items in an email message (full list is here). These modifications occur before releasing the message to the account's inbox (i.e. at the point of entry to Google’s servers). This is similar to a secure email gateway and any message passed through to the account's inbox will reflect those changes in Front as well.


Other channel types

How do these options work for a Google Group?

Since Google Groups leverage forwarding for inbound and Front's Sendgrid servers for outbound, only inbound emails would be subject to the reject or modify policy you define for your Google Workspace.  The quarantine option is only available to User accounts.  If your organizations requires enforcement of these policies for both inbound and outbound email, you’ll want to consider migrating your Google Group to a fully licensed Gmail account.

How do these options work for a Gmail Alias?

Similar to a Google group, a Gmail alias uses Sendgrid for outbound delivery by default. Inbound messages are processed using the primary connected channel through two-way sync so they will already comply with any policies you define. For outbound delivery you’ll want to setup Custom SMTP to send through Gmail directly or consider converting the alias to a fully-licensed Gmail account as needed.