As Google Workspace admins, sometimes, we are asked to delete emails from other users accounts when the messages are sent in error or contain malware/phishing/etc. This is not something we do lightly and should only be done in the most extreme cases.
If the message went outside your Google Workspace domain, there is almost nothing we can do beyond asking the recipient to delete the message.
For messages received inside of the Google Workspace, there are two things I’ve done:
- Change the recipient’s password, delete the message, empty the trash;
- Use the command line tool GAM
The remainder of this post focuses on the second approach since it is less disruptive to the user(s). However, it is more dangerous since mistakes can delete the wrong message(s). When this document refers to GAM, we are referring to the GAMADV-XTD3 version.
Finding the Message ID
To delete a message using GAM you need to know the Message ID. There are several ways to do this. The easiest is if you have access to an account the message was sent or received from, and then you can use the “Show original” feature of Gmail, find it in the raw headers of an email, or use GAM to search for it.
“Show original” feature of Gmail to find a Message ID
In Gmail, select “Show original” which will nicely decode the headers of the message and show you the Message ID in the first line:
Tip: You can ask the sender to do this in their sent message folder and copy/paste the Message ID in an email to you.
Looking at the raw headers / original email to find a Message ID
If you have access to the original unparsed email message (either from the sender or a recipient), you can look through the headers at the top of the message for a line that starts with “Message-ID:”
Here is an example of the headers from an email that an email client hasn’t parsed:
Message-ID: <0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com>Using GAM to find a Message ID
GAM has a few ways to search for a Message ID. See the Print Messages Query section of the GAM manual.
Searching by subject and date range in a single users account
The following commands searches through the account “myemail” for message with a subject of “Alert for MYNET – wireless” between 1/24/24 and 1/25/24. Note that you have to escape the quotes around the subject with a backslash and put the date in YYYY-MM-DD format.
gam user myemail show messages query "subject:\"Alert for MYNET - wireless\" before:2024-01-25 after:2024-01-24"Searching by subject and date range in all accounts and send the results to a new Google Sheet
gam all users print messages query "subject:\"Alert for MYNET - wireless\" before:2024-01-25 after:2024-01-24" todriveThis is going to be slow (think 30-45 minutes) since it searches each account one at a time. You can also use “gam ou_and_children_ns <Path/To/OU>” instead of “all users” to just search a single OU. Since the message ID is going to be the same for all users, you can often just search one user.
Deleting an email using GAM
From a single user
The folllowing command will delete from the user myemail the message that matches Message ID specified after “rfc822msgid:” (in this case 0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com).
gam user myemail delete messages query "rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com" doitFrom all users
gam all users delete messages query "rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com" doitJust like with searching all users, deleting from all users is very slow (30-45 minutes) since it iterates through all of our users. You can also target an OU (see documentation) if needed.
From a group of users
gam group mygroup@mygoogleworkspace.org delete messages query "rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com" doitLike all users, this will iterate through all members of the group and can take a while to run on large groups. The message specified in the query does not have to have been sent to the list. The command is only using the group for the list of accounts to search through and delete the message from.