Security Resource

Email Size Limits and Large File Delivery Architecture: Practical Engineering Guide

Detailed engineering guidance for moving from attachment bottlenecks to controlled secure link workflows.

Context and problem framing

If your total attachment size is greater than the limit, Gmail automatically removes the attachment and adds it as a Google Drive link in the email. Typical operational metadata includes: File/transfer identifiers — IDs used to locate requested data Filename — what you see in the UI File size — for quotas and progress display Expiration & download limits Download counts — for UI and abuse detection We also maintain minimal security telemetry to prevent abuse (such as IP and user-agent in security logs). You can further harden access by: Password protection — require a password before download Zero-knowledge encryption — require the passphrase to decrypt after download Expiration / download caps — limit the window of exposure Rate limiting and abuse controls make large-scale link guessing and scraping noisy and costly.

For work and school accounts, your Google Workspace administrator sets the attachment sending limits and attachment receiving limits . Fix issues with attachments in Gmail Attachments might be unavailable Your network administrator or Internet provider probably blocked "mail-attachment.googleusercontent.com," the domain Google uses to host attachments. Security logging To defend the service and investigate abuse, we log security events such as rate limit blocks, authentication events, and suspicious activity.

Risk surface and exposure patterns

Blocked for security reasons To prevent viruses, Gmail doesn't let you attach executable files , like files ending in .exe. If a file or folder you're trying to upload to OneDrive contains any of the characters listed below, it may prevent files and folders from syncing. To prevent uploading .PST files from the OneDrive sync app, read Blocking syncing of specific file types .

Virus detection Applies to: If we detect a virus in a file, the OneDrive sync app immediately stops syncing to prevent the virus from spreading and ensure the safety of your devices. The main security goals are: Confidentiality: prevent unauthorized access to file contents. We rely on file-type enforcement, metadata analysis, and behavioral signals to detect and prevent abuse.

Transfer control model

Always send passwords through a separate communication channel from the file link itself — for example, share the link via email and the password via a messaging app. Encryption modes Zero-knowledge encryption (end-to-end) Your browser encrypts the file before upload . What metadata exists Even with zero-knowledge encryption, a file sharing service needs some metadata to operate.

Link security & access controls File access is controlled primarily by a high-entropy link token. Malware scanning & abuse prevention We use layered controls to reduce malicious sharing and infrastructure abuse: File-type checks and suspicious-extension enforcement Rate limiting on upload, auth, and high-risk endpoints Behavioral signals — download patterns, spikes, and anomaly detection All uploads use zero-knowledge encryption, meaning the server only receives ciphertext. The important privacy property is that the server doesn't need the password to deliver the file.

Implementation architecture

For security reasons, a number of file names and extensions can't be uploaded since they are executable, used by SharePoint Server, or used by Windows itself. OneDrive for Windows and Mac is also compatible with SharePoint Server Subscription Edition. This key encrypts the file and is then encoded as Base64URL and placed in the share link's URL fragment : https://fileshot.io/d/<fileID>#k=<base64url-encoded-key> Per RFC 3986 , the URL fragment (everything after # ) is never sent to the server in HTTP requests.

This article contains information about the restrictions and limitations that apply to files, file names and file types when syncing with OneDrive for home, OneDrive for work or school or SharePoint in Microsoft 365. For Office desktop win32 apps: If you're saving an Office file via the Backstage view to a OneDrive or SharePoint folder, you won't be able to save the file if the folder name contains ; (semicolon). Limitations File upload and download sizes Applies to: Maximum Upload Download Sync 250GB 250GB Individual files 250GB 250GB Files within a zip 250GB 250GB Note: These limits applies to files , not your total storage .

Operational governance and auditability

For a 1 GB file, peak memory usage is approximately the chunk size (512 KB) plus overhead &mdash; not 1 GB. Tip : If you've already turned on confidential mode for an email, go to the bottom of the email, then click Edit . Notes: If you're looking for restrictions and limitations that apply to the earlier version of OneDrive for Business (groove.exe), SharePoint 2013, and SharePoint 2016 read KB 2933738 .

If you're a global admin or SharePoint admin in Microsoft 365, see Enabling # and % Support on the SharePoint blog to learn how to allow these characters. Outlook .PST files are supported, however they are synced less frequently compared to other file types to reduce network traffic. To move .PST files out of OneDrive, read How to remove an Outlook PST data file from OneDrive .

Failure modes and mitigation strategy

If you are a OneDrive for work or school user, some file types may be blocked on your organization's SharePoint site. Learn how to resolve the ”Gmail’s adding files” error message If you upload files from another device, wait until the upload completes. Invalid or blocked file types Applies to: Temporary TMP files will not be synced to OneDrive.

Infected files will be marked with a red symbol beside the file name, indicating that the file has been flagged as malware. Send attachments with confidential mode Tip : If you're using Gmail with a work or school account, contact your admin to make sure you can use confidential mode. If you choose "No SMS passcode," recipients using the Gmail app will be able to open it directly.

Execution checklist and rollout controls

Characters that aren't allowed in file and folder names in OneDrive for home or OneDrive for work or school " * : < > ? Goals & threat model FileShot is designed to make sharing large files fast and simple without turning your files into a product. Previews & active content safety File previews are a common vector for web security issues &mdash; especially with HTML, SVG, and other "active" formats.

Data residency FileShot's primary infrastructure and file storage operate on servers located in the United States . Encrypted file content is not cached at the CDN layer &mdash; only static web assets are eligible for edge caching. If the file is time-sensitive, combine password protection with an expiration policy so the link doesn't remain a forever-capability.

Implementation FAQ

What changes first in a secure delivery rollout?

Start with recipient-scope policy, expiration defaults, and separate-channel credential delivery controls.

How do teams reduce accidental oversharing?

Use narrow recipient groups, short-lived links, and revocation checkpoints tied to completion confirmation.

What evidence should be logged for audits?

Capture sender, recipient scope, delivery timestamp, control settings, and closure actions with change history.

How should sensitive transfers be validated?

Require integrity checks and role confirmation before release, with policy-based exceptions documented.