Set Up an Image URL Whitelist for Google Apps for Work

« Go Back


Full Story

To improve monitoring and measurement of your IC emails and to improve open rates, your IT administrators can set group policy to enable automatic picture downloading for your email communications. Automatic picture download allows us to track internal email opens more consistently, yielding more accurate email metrics reporting.

Set up an Image URL Whitelist:

When users open email messages, Gmail uses Google’s secure proxy servers to serve images that might be included in these messages. This protects a company's users and domains against image-based security vulnerabilities. Because of the image proxy, links to images that are dependent on internal IPs and sometimes cookies are broken.

The Image URL proxy whitelist setting lets you avoid broken links to images by creating and maintaining a whitelist of internal URLs that'll bypass proxy protection. When you configure the Image URL proxy whitelist, you can specify a set of domains and a path prefix that can be used to specify large groups of URLs.

Configure the Image URL proxy whitelist setting:

  1. Log in to your Google Admin Console.

  2. From the Admin console dashboard, go to Apps > G Suite > Gmail > Advanced settings.

  3. Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  4. On the left, select your top-level organization.

  5. Scroll to the Image URL proxy whitelist section.

  6. Enter image URL proxy whitelist patterns. Matching URLs will bypass image proxy protection.

  7. At the bottom, click Save.

It can take up to an hour for changes to propagate to user accounts. You can track prior changes under Admin console audit log.

Guidelines for Applying the Image URL Proxy Whitelist Setting:

Security considerations

Consult with your security team before configuring the Image URL proxy whitelist setting. The decision to bypass image proxy whitelist protection can expose your users and domain to security risks if not used with care.

In general, if you have a domain that needs authentication via cookie, and if that domain is controlled by an administrator within your organization and is completely trusted, then whitelisting that URL should not expose your domain to image-based attacks.

Important: Disabling the image proxy is not recommended. This option is available to provide flexibility for administrators, but disabling the image proxy can leave your users vulnerable to malicious attacks.

Entering Image URL patterns

To maintain a whitelist of internal URLs that'll bypass proxy protection, enter the image URL patterns in the Image URL proxy whitelist setting. Matching URLs will bypass the image proxy.

A pattern can contain the scheme, the domain, and a path. The pattern must always have a forward slash (/) present between the domain and path. If the URL pattern specifies a scheme, then the scheme and the domain must fully match. Otherwise, the domain can partially match the URL suffix. For example, the pattern matches, but not The URL pattern can specify a path that's matched against the path prefix.


  • Enter your actual domain name as you enter the image URL pattern.
  • Always include a trailing forward slash (/) after the domain name.

Note: The URL scheme (http://) is optional. If the scheme is omitted, the pattern can match any scheme, and allows partial matches on the domain suffix.

Previewing the image URL patterns

Click Preview to see if the URLs match the image URL patterns you've set. If the image URL matches a pattern, you'll see a confirmation message. If the image URL does not match, an error message appears.

Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255


Contact Support

Don't see what you're looking for?
Contact our support team who will be happy to answer your query.

Contact Us