Tip: Google Workspace uses 3 email standards to help prevent spoofing and phishing of your organization’s Gmail. These standards also help ensure your outgoing messages aren’t marked as spam. We recommend Google Workspace administrators always set up these email standards for Gmail:
- Sender Policy Framework (SPF): Specifies the servers and domains that are authorized to send email on behalf of your organization.
- DomainKeys Identified Mail (DKIM): Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): Lets you tell receiving servers what to do with outgoing messages from your organization that don’t pass SPF or DKIM.
DMARC is a standard email authentication method. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain. Spoofing is a type of attack in which the From address of an email message is forged. A spoofed message appears to be from the impersonated organization or domain.
DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.
Go directly to the steps for setting up DMARC, later in this article.
About DMARCVideo: What is DMARC?
DMARC helps protect users from forged email messages,
and lets you manage messages that don't pass SPF or DKIM.
DMARC provides extra protection of your email accounts from spam, spoofing, and phishing.
How DMARC prevents spoofing & phishing
Spammers can spoof your domain or organization to send fake messages that impersonate your organization. DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization, but doesn't pass authentication checks, or doesn’t meet the authentication requirements in your DMARC policy record. Messages that aren't authenticated might be impersonating your organization, or might be sent from unauthorized servers.
DMARC is always used with these two email authentication methods or checks:
- Sender Policy Framework (SPF) lets the domain owner authorize IP addresses that are allowed to send email for the domain. Receiving servers can verify that messages appearing to come from a specific domain are sent from servers allowed by the domain owner.
- Domain Keys Identified Mail (DKIM) adds a digital signature to every sent message. Receiving servers use the signature to verify messages are authentic, and weren't forged or changed during transit.
Spoofed messages are often used for malicious purposes, for example to communicate false information or to send harmful software. Spoofed messages are also used for phishing, a scam that tricks people into entering sensitive information like usernames, passwords, or credit card data. Spoofing can have a lasting effect on your organization’s reputation, and impacts the trust of your users and customers.
Sometimes spammers forge messages so that they appear to come from well-known or legitimate organizations. If spammers use your organization’s name to send fake messages, people who get these messages might report them as spam. If many people report these message as spam, legitimate messages from your organization might also be marked as spam.
DMARC passes or fails a message based on whether the message’s From: header matches the sending domain, when SPF or DKIM checks the message. This is called alignment. So, before you set up DMARC for your domain, you should turn on SPF and DKIM.
Learn about DMARC alignment.
If a mail server gets a message from your domain that fails the SPF or DKIM check (or both), DMARC tells the server what to do with the message. There are three possible options, defined by your DMARC policy:
- Policy is set to none - Take no action on messages, and deliver them normally.
- Policy is set to quarantine - Mark messages as spam, and send them to recipients' spam folder, or to quarantine.
- Policy is set to reject - Reject the messages, and don’t deliver them to recipients.
Learn about DMARC enforcement options.
Set up your DMARC record to get regular reports from receiving servers that get email from your domain. DMARC reports contain information about all the sources that send email for your domain, including your own mail servers and any third-party servers.
DMARC reports help you:
- Learn about all the sources that send email for your organization.
- Identify unauthorized sources that send email appearing to come from your organization.
- Identify which messages sent from your organization pass or fail authentication checks (SPF or DKIM, or both).
DMARC reports are hard to read and interpret for most people. Learn more about using DMARC reports.
Before you set up DMARC
For details, go to Before you set up DMARC.
Define your DMARC policy record
For details, go to Define your DMARC policy.
Add your DMARC record
For details, go to Add your DMARC record.
Tutorial: Recommended DMARC rollout
For details, go to Tutorial: Recommended DMARC rollout.
For details, go to DMARC reports.
Troubleshoot DMARC issues
For details, go to Troubleshoot DMARC.