You are seeing Response Rule actions being performed on emails as which are identical to those created on your policy but you cannot find any related incidents in the Enforce Server console*.

You can see when reviewing test emails (prior to sending) they don't have the x-headers applied before they reach the DLP Detection Server, but when the messages get to your downstream cloud gateway (after DLP content inspection) it has the x-header from the response rule for the policy.

Release : 16.0

Network Prevent for Email

Cloud Service for Email

In most cases, it's not possible for the DLP Email Prevent or Cloud Service for Email services to apply Response Rule actions without recording incidents.

In this case, there was a header modification in the upstream MTA that was actually performing the same actions as DLP is configured to do.

Finding and disabling that rule eliminated the header modifications occurring.

Thus, for Gmail, check:

Google Workspace > Settings for Gmail > Compliance

Look for a rule that performs the same actions, in the "Content Compliance" section.

In this case, the rule in Gmail was even using the same name as the Policy configured in DLP.

*To confirm there are no "bad" incidents in the Enforce Server, or the Detection Server itself, look in the "incidents" directories. For more details on why those occur, see What is a .bad file? (broadcom.com).