Enhance security for forged spam (DMARC)
Manage suspicious emails with DMARC
Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality is negatively affected. People who get the forged emails can mark them as spam or junk, which can impact authentic messages sent from your domain.
Gmail supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent this type of spam. Use DMARC to define the policy for how Gmail handles spam emails that appear to be sent from your domain.
Learn more about DMARC.
How DMARC works
DMARC helps email senders and receivers verify messages. DMARC also defines the action to take on suspicious incoming messages. When an incoming message does not pass the DomainKeys Identified Mail (DKIM) check, DMARC defines what happens to these messages. There are three options:
- Take no action on the message.
- Mark the message as spam and hold it for more processing (quarantine).
- Cancel the message so that it is not sent to the recipient.
Set up DMARC after SPF and DKIM
Before you set up DMARC, we recommend setting up Sender Policy Framework (SPF) and DKIM. DMARC uses SPF and DKIM to verify messages are authentic. A message that does not pass SPF or DKIM checks triggers the DMARC policy.
DMARC and third-party email providers
For DMARC to effectively manage suspicious messages, all messages should be sent from your own domain. Messages sent from third-party email providers for your organization can appear invalid and be rejected, depending on the DMARC policy.
To prevent messages from third-party email providers from being marked invalid:
- Share your DKIM key with the provider so the key is added to outgoing messages.
- Ask the provider to send messages through your network.
DMARC filtering examples
Tips for using DMARC
Here are some tips for using DMARC:
- You can set up DMARC to send you a daily report from all participating email providers. The report shows:
- How often messages are authenticated
- How often invalid messages are seen
- DMARC policy actions that occur
- You can update your DMARC policy based on what you learn from the daily reports. For example, you can change your policy from “monitor” to “quarantine” to “reject” if you see that valid messages are being authenticated.
- Your policy can be strict or relaxed. For example, eBay and PayPal policies require all messages from their domains be authenticated to appear in someone's inbox. To meet their policies, Google rejects all messages from eBay or PayPal that aren’t authenticated.
- Recipients don't have to do anything, because Gmail conducts the DMARC check for you.
For more tips, see the DMARC Overview.
Start using DMARC
To start using DMARC, go to Add a DMARC record.
See these related articles for more information about email security:
- Control unauthenticated mail from your domain
- Email authentication
- SPF records
- Authenticate email with a domain key