Google Groups can be difficult to secure due to the dizzying array of configuration options, and Google’s sparse documentation doesn’t make it easy. For example, “Who can contact group owners” is the first permission in the admin console, but there’s no explanation of what that means. So what is it?
“Who can contact group owners” refers to a special option for emailing owners directly from the Groups web portal or via a special email tag. It has no relation to the normal method of posting messages to a Group.
Emails are sent directly to group owners from the group but don’t appear in the group’s conversation page.
Two ways to contact owners
There are two primary ways to contact owners. The most obvious one is the group’s page on groups.google.com. Depending on the permissions of the user and group, there will be slightly different affordances for emailing the group owners.
The about page
This is a group I don’t own – I don’t see the option to contact owners on the about page, but I do see it when trying to view group conversations:
In some cases, the user won’t see the conversations tab, only the about page, and the option may appear there (I’m the owner of this group):
If you have “Who can contact owners” set to a level the user doesn’t have, they won’t see the option on the about page at all:
Emailing owners directly
According to a wiki page from the University of Wisconsin-Madison people can also use thegroupemail+owner@domain.com to email the owners of a Group.
This sometimes works even when “Who can contact groups owners” is restricted! I tested this in August 2023 with a consumer Google group that had “Who can contact owners” set to “members only”. I had an external user email the groupemail+owner, and the group owner got the email in their inbox with the Groups footer but the message did not appear in the Google Group itself.
Oddly, I tested this with another group that had “Who can contact owners” set to “organization” and wasn’t able to replicate the issue. I think this is because the group was in a Workspace environment that had “Accessing groups from outside this organization” set to “Private” in the Admin Console, but I’m not 100% sure.
Takeaways
If you’re using consumer Google Groups, be careful – scammers or other abusive users will be able to email your group owners directly. If you’re in a Workspace domain, you should have the setting on that makes your Groups private by default.
In both cases, only allowing members of the group to contact owners is safest. Organizations don’t need to let anyone in the org email owners – they should have a helpdesk process for this if they don’t already (if you don’t have one, you can make a simple one with Google Forms & Sheets).
Leave a Reply