Gmail Governance Without Inbox Browsing — What IT Admins Can See Without Reading Email
Audit Gmail forwarding rules, delegates, and risky mail filters across your Google Workspace domain without accessing inbox content. A governance-first approach to email security.
Here's a question that comes up in almost every security review: can you tell if a user is forwarding company email to a personal account?
Most admins know they can check — in theory. But Gmail forwarding and delegation settings aren't visible in the standard Admin Console. Reviewing them across an entire domain requires API access, and most teams don't automate that review.
So the real question isn't whether you can check. It's whether you're checking regularly enough to catch something before it becomes a breach.
The Four Signals That Matter
Not every Gmail investigation requires reading email. In fact, most governance checks don't. What you actually need to know is whether a user's Gmail configuration creates risk — and you can answer that without opening a single message.
The four governance signals: Auto-Forwarding | Delegates | Mail Filters | Forwarding Addresses
Each one tells you something different about whether an account's Gmail setup creates risk for your organization.
1. Auto-Forwarding
The single most common data exfiltration vector in Google Workspace. A user enables auto-forwarding to their personal Gmail, and every message — including client contracts, financial data, HR communications — silently copies to an unmanaged account.
What to look for:
- Is auto-forwarding enabled? (The answer should almost always be "no" in a managed domain.)
- Where does it forward to? Is the destination a personal email, a competitor's domain, or an unknown address?
- What's the disposition? Does the original stay in the inbox, or does it vanish?
Some organizations disable auto-forwarding at the domain level via Admin Console. Good practice. But even with that policy, individual settings can drift — especially during migrations, mergers, or when a user had forwarding configured before the policy was enforced.
A real example: during a quarterly sweep, a finance team member was found forwarding invoices to a personal account that had been configured years earlier during a role transition. Auto-forwarding was enabled, the destination was verified, and it had been running silently ever since. No malice — just a forgotten setting that created months of uncontrolled data exposure.
2. Delegate Access
Gmail delegation lets another person read, send, and delete email on behalf of the account owner. Executive assistants use it legitimately. But it's also a blind spot: if a former assistant still has delegate access six months after changing roles, that's an access control failure.
Things that should make you look twice:
- Delegates who aren't in the same department or team
- Delegate invitations stuck in "pending" status (someone was added but never accepted — why?)
- Any delegation on sensitive accounts: finance, HR, executive leadership
Google Admin Console won't show you delegation status for individual users at a glance. You need API access. And you should be checking periodically, not just when something goes wrong.
3. Mail Filters and Routing Rules
This is where it gets subtle. A user can create a Gmail filter that:
- Forwards certain emails to an external address
- Automatically deletes messages matching a pattern
- Marks incoming mail as read and archives it — so it never appears in the inbox
That last one is the most dangerous. Silent archiving means the account owner never sees the email, and neither does anyone checking their inbox. It's a filter that creates a blind spot.
A governance-aware system flags three patterns automatically:
- External forwarding: any filter with a
forwardToaction pointing outside the domain - Delete-like rules: filters that route directly to Trash
- Silent archive: the combination of "mark as read" plus "skip inbox" — messages arrive, are immediately hidden, and nobody notices
If a user has 30 filters (not unusual for a long-tenured employee), checking each one manually is impractical. Automated suspicion detection makes this reviewable in seconds.
4. Forwarding Addresses
Separate from auto-forwarding settings, Gmail maintains a list of registered forwarding addresses for each account. These are destinations that Gmail has verified — meaning the user went through the confirmation flow at some point.
Even if auto-forwarding is currently disabled, a verified forwarding address means it can be re-enabled instantly. Think of it as a loaded gun in a locked cabinet: technically secured, but the capability is there.
What matters:
- How many forwarding addresses are registered? (For most users, the answer should be zero.)
- Which ones are verified vs. pending?
- Do any point outside the organization's domain?
Why This Isn't the Same as Reading Email
Some admins — and their legal teams — are uncomfortable with email monitoring tools. Fair enough. Reading someone's inbox is invasive, even when justified. It creates liability, requires policies, and should be the exception rather than the rule.
Gmail governance is different. You're reading settings, not content. The API scope for governance checks is gmail.settings.basic — configuration only. No subjects, no bodies, no attachments. You see: is forwarding on? Who has access? What do the filters do?
MonitorWorkspace also offers full inbox monitoring when investigations require it — read-only access, email transfer, search. But governance checks don't need that scope. Start with settings. Escalate to inbox access only when the situation demands it.
This distinction matters for policy. Organizations that restrict inbox monitoring can still justify settings audits — because you're checking the security posture of an account, not reading someone's mail.
When to Check
Running these checks once during onboarding isn't enough. Gmail configurations change. People add forwarding rules, accept delegate invitations, create new filters. The governance signals you checked three months ago may not reflect reality today.
Reasonable check cadence:
- On investigation: any time a security incident or HR concern involves a specific user
- During offboarding: before (and after) disabling the account — forwarding rules set up in the last week are worth scrutiny
- Periodic sweep: quarterly or monthly for high-risk accounts (executives, finance, anyone with access to sensitive data)
- On-demand: when policy changes (like disabling auto-forwarding at the domain level) need verification that individual accounts comply
What This Looks Like in Practice
MonitorWorkspace surfaces all four signals in a single "Gmail Compliance" tab on the user detail page. Open a user, click the tab, and you see:
- Auto-forwarding status with destination and verification
- All registered forwarding addresses
- Delegate list with acceptance status
- Every mail filter, with suspicious patterns flagged automatically
No inbox access. No message content. Just the configuration data that tells you whether this account's Gmail setup creates risk for your organization.
Most teams could script these checks. Almost none maintain the script, schedule it, audit-log every run, and surface risk patterns automatically. That's the difference between a one-off investigation and an ongoing governance practice.
Every compliance check is audit-logged — who ran it, when, for which user. The same transparency that applies to inbox monitoring applies here: governance checks are accountable, too.
If you're running a Google Workspace domain and you haven't audited forwarding rules recently, start there. It takes five minutes and the results are usually surprising.
See what forwarding and filter risks look like in your own domain → | Executive summary version →