What Your Google Workspace Admin Can See Without Reading a Single Email
Gmail governance gives IT admins visibility into forwarding rules, delegates, and risky filters — without accessing inbox content. Here's what that looks like.
Can you tell — right now — if anyone in your organization is forwarding company email to a personal account?
For most IT teams, the honest answer is no. Gmail forwarding and delegation settings aren't visible in the Admin Console. Checking them across a domain requires API access that most teams haven't automated. So the review doesn't happen until something goes wrong.
That's the gap Gmail governance closes.
Settings, Not Content
There's an important distinction between email monitoring and email governance. Monitoring means reading inbox content — subjects, bodies, attachments. Governance means reviewing configuration: who has access, where mail routes, and what filters are doing behind the scenes.
MonitorWorkspace offers both. Full inbox monitoring for investigations that require it. And governance checks that use a lighter API scope (gmail.settings.basic) — configuration only, no message content.
For organizations that want a proportionate approach to email oversight, settings audits are the right starting point. Assess the security posture first. Escalate to inbox access only when the situation demands it.
Four Signals, One Tab
MonitorWorkspace surfaces four governance signals for any user in your domain:
Auto-Forwarding — Is it enabled? Where does it forward? Is the destination verified? This is the single most common data exfiltration vector in Google Workspace. During a quarterly sweep, one finance team member was found forwarding invoices to a personal account configured years earlier during a role transition. No malice — just a forgotten setting creating months of uncontrolled exposure.
Delegates — Who can read, send, and delete email on behalf of this user? Former assistants with lingering access, cross-department delegates on sensitive accounts, pending invitations that were never accepted — all visible at a glance.
Mail Filters — Users create filters that forward externally, silently archive (mark read + skip inbox), or route to Trash. Any one of these can create a blind spot. Suspicious patterns are flagged automatically — you don't have to review 30 filters manually.
Forwarding Addresses — Even when auto-forwarding is off, verified forwarding addresses mean it can be re-enabled instantly. For most users, the number of registered forwarding addresses should be zero.
Why This Matters for Leadership
Three reasons this belongs on your radar:
Risk visibility without privacy concerns. Settings audits don't touch message content. Legal teams that are uncomfortable with inbox monitoring can usually approve configuration reviews under existing acceptable use policies.
Compliance evidence. Every governance check is audit-logged — who ran it, when, for which user. That's demonstrable oversight for SOX, HIPAA, or internal policy reviews.
Operational hygiene. Forwarding rules accumulate. Delegates linger. Filters get created and forgotten. Periodic review catches configuration drift before it becomes an incident.
The Difference Between a Script and a Practice
Most teams could script these API calls. Almost none maintain the script, schedule it, audit-log every run, and surface risk patterns automatically. That's the difference between a one-off investigation and an ongoing governance practice.
MonitorWorkspace makes it a tab click: open a user, check their Gmail compliance posture, move on. The check itself is logged. No inbox access required.
If you haven't audited forwarding rules recently, start there. Five minutes, and the results are usually surprising.
See what forwarding and filter risks look like in your domain → | Technical deep-dive: The Four Governance Signals →