You may need to access another user’s email for security reasons, to perform an email audit, or perhaps when collaborating with a colleague. There are several ways to do this as a google workspace admin, for example by creating a shared inbox or using security tools.
here we will guide you through each method step by step.
method 1: proxy account
A delegate account is a shared inbox that can be accessed by up to ten users (delegates). each delegate can send or receive emails from the account and you can keep the account organized using labels and filters.
You may want to use this type of account for customer service or a joint project, for example. a delegated account means that everyone has access to all relevant information and communications. In addition, each user can see which messages have already been sent, so there is no work or repetition of messages.
Here’s how to add delegates to a gmail account:
step 1: open gmail on your computer. (this process does not work in the gmail app).
step 2: click the settings button and then view all settings.
step 3: select the accounts and import or accounts tab.
step 4: go to the granting access to your account section and click on add another account.
Step 5: Enter the delegate’s email address.
step 6: click next step and then send email to grant access.
the recipient will receive an invitation within 24 hours. they have one week to confirm, after which the invite expires.
need to remove a delegate from the account? this is how it’s done:
step 1: open gmail on your computer.
step 2: go to settings > view all settings.
Step 3: Click the Accounts & Import tab.
Step 4: Find the user you want to remove in the Grant access to your account section. click delete next to that user.
method 2: collaborative inbox
A collaborative inbox is slightly different from a delegated account. it is a type of group that you can set up through google groups. has its own email address that users can use to send and receive messages.
It’s a good idea to set up a collaborative inbox for project management purposes. this is because users can also track conversations as tasks and assign conversations to each other.
you can create a new group within google groups to use as a collaborative inbox or turn an existing group into a collaborative inbox by activating the relevant features. If you’re setting up a new group, then as an administrator you’ll first need to make sure you turn on groups for business.
This is how you can use a group as a collaborative inbox:
step 1: go to google groups and select the name of the group.
step 2: click group settings.
Step 3: Find enable additional Google Groups features and select Collaborative Inbox.
Step 4: Assign permissions to group members so users can view, participate, and manage conversations.
method 3: research tool
The google workspace research tool allows super administrators to access a wide range of data and information related to the organization’s account. this includes access to data about gmail messages as well as email content.
The purpose of the tool is to investigate and fix any security or privacy issues. Here’s how to use it to view other users’ emails:
Step 1: Sign in to the admin console with your admin account.
Step 2: Go to Security > research tool.
Step 3: Select gmail messages from the list of data sources.
step 4: click on add condition.
Step 5: Find the emails you want to view. you can narrow your search using the menus. for example, you can add a search condition to get emails from users who click links.
Step 6: Click search and locate the message you want to view, then click the message ID or the message subject.
Step 7: Click message at the top of the message header.
Step 8: Enter the reason why you want to see the content of this message. this reason is recorded in the administrator audit log.
step 9: click confirm.
You will now be able to see the content of the message and take any additional actions you need. for example, you can mark the message as spam or quarantine it.
method 4: content compliance
As an administrator, you can use content compliance rules to flag essentially any email that might be of concern. messages that meet certain conditions can be sent to an administrator quarantine. from there you can view the email and modify it before sending it or choose to reject it.
You may want to do this sort of thing to prevent sensitive information from being shared outside the company, for example.
Here’s how to set up and use content compliance rules:
Step 1: Sign in to the admin console with your admin account.
step 2: go to applications > google workspace > gmail > compliance. Alternatively, you may need to go to applications > google workspace > gmail > advanced settings.
Step 3: Go to the compliance section and hover over content compliance and then click configure.
Step 4: Enter a description for the configuration.
step 5: check the boxes of the emails you want the rule to apply to: incoming, outgoing and/or internal messages.
Step 6: Add up to ten expressions that you want to be marked and select if some or all of the conditions must be met to trigger an action.
Step 7: Choose whether you need a simple content match, advanced content match, predefined content, or metadata match for the expression. then click save.
Here’s a brief explanation of what each of these content match types means:
- simple content match: Any expression containing the words you enter will be marked. for example, typing “confidential document” will also mark a message that says “this document is confidential.”
- advanced content matching: This marks expressions that exactly match the ones you entered. therefore, if you enter “sensitive document”, only messages with the phrase “sensitive document” will be flagged.
- predefined content match: This flags particular sets of sensitive information, for example, messages containing a credit card, passport, or social security number.
- metadata match: Certain metadata attributes can be flagged. for example, if the email size is too large, it has not been encrypted, or the source ip is not within the defined range.
Step 8: Choose whether the message will be modified, rejected, or quarantined if there is an expression match. set the options for the action and click save settings.
method 5: google vault
If you have a Business Plus, Enterprise, Enterprise Essentials, Education Fundamentals Plus, or G Suite Business account, you can use Google Vault. If you have another type of account, you can purchase an additional Google Vault license.
the vault allows you to save, search and export your users’ google workspace data. this includes gmail messages, google chat messages, google meeting recordings, google group messages, and classic hangout messages.
so essentially you can access any type of user message through google vault as well as user emails. though admins need to set vault retention rules for this to work.
You can make a copy of gmail messages remain in the vault even if the user deletes the message and empties their trash.
In addition, you can set a custom vault rule to only save certain messages or a default retention rule where all messages are retained.
Here’s how to set the default retention rule for gmail:
step 1: sign in to google vault.
step 2: click hold.
step 3: select gmail.
Step 4: Specify how long you want to retain messages by selecting indefinitely or retention period and then enter the number of days you want to keep messages. messages.
Step 5: If you specify a retention period, you’ll need to determine what to do with messages after the retention period. you have the option to purge all messages or just the ones that have been deleted.
Step 6: Click Save and you will be prompted to confirm that you understand the effects of the rule. check the appropriate boxes and then click accept.
common problems viewing other users’ emails as a g suite admin
These are solutions to some of the most common problems encountered when using the above methods:
problems with a proxy account
There are some common problems that administrators with a delegated account seem to run into.
First, if you find that there is a delegate in the account that you did not add, you must change the account password immediately. this is because it may be a hacker who accessed the account through phishing or malware.
did you try to add a delegate to the account and failed? Please note that you can only add members from your school, company, or other type of organization as delegates.
If they’re part of your organization and you can’t add them yet, you’ll need to set up mx records for your google workspace email. this involves verifying your domain and making gmail your professional email provider.
Another issue you may run into is that a delegate you added can’t access the account. This is probably because you chose the Require user to change password at next login option when you added the delegate. therefore, the user must change his password to access the delegated account. alternatively, you can disable the option that requires users to change their password.
an administrator cannot use the investigation tool
If a workspace admin finds that they can’t use the investigation tool, they may not have the appropriate privileges. this is what she should do:
Step 1: In the management console, go to Admin Roles.
step 2: point to administrator and click view privileges, then click open privileges.
step 3: go to the services section and click on security center privileges.
Step 4: Click This user has full administrative rights for the security center to expand the section.
Step 5: Check the privilege boxes for the investigation tool. here you can choose what type of data they can access when they use the investigation tool.
deleted users and google vault
An issue you may run into with google vault is missing messages or data. The thing is, when you delete a user from Google Workspace, all of their associated messages and data are also deleted from Google Vault.
You may be able to recover the deleted user’s data by restoring their account. but you cannot recover any data that has already been deleted.
If you don’t want this problem to occur in the future, don’t delete a user, even if they leave the organization.
You have a couple of alternative options. First, you can assign an Archived User (AU) license to the user, which means their data will be kept in the vault. or you can suspend the account, which means they won’t be able to use any google workspace services, but their data will be retained.
Is it legal to view other users’ emails?
another thing you might want to know is if reading employee emails breaks any laws.
according to nancy flynn, founder and executive director of the epolicy institute,
“The federal Electronic Communications Privacy Act makes it clear that workplace email [is] the property of the employer, and employees should have no expectation of privacy when sending, receiving, downloading, uploading, printing, or transmitting electronic messages”.
But just because you can legally read employee emails doesn’t necessarily mean you should do it left, right, and center. Make sure there is a valid reason to read user emails, such as protecting company data, employees, or company reputation.
It’s also a good idea to indicate that the company may and may need to check user emails in company policies. this is to ensure that employees are aware of the practice and the consequences they may face if they use email for inappropriate or malicious reasons.