Understand DMARC

Overview

Spammers can sometimes forge the "From" address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam emails from their domain.

Google Apps follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Prerequisites

Please note, you must send all mail through your own domain for DMARC to be effective. Mail sent on your behalf through third-party providers will appear unauthenticated and therefore may be rejected, depending upon your policy disposition. To authenticate mail sent from third-party providers, either share your DKIM key with them for inclusion on messages or have them relay mail through your network.

If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound mail streams. DMARC relies upon these technologies to ensure signature integrity. A message must fail both SPF and DKIM checks to also fail DMARC. A single check failure using either technology allows the message to pass DMARC. See the corresponding SPF and DKIM sections of the DMARC specification for example messages filtered by these tools.

Considerations

Here are some things to keep in mind:

  • You'll receive a daily report from each participating email provider so you can see how often your emails are authenticated, how often invalid emails are identified, and policy actions requested and taken by IP address.
  • You might want to adjust your policy as you learn from the data in these reports. For example, you might adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.  
  • Your policy can be strict or relaxed. For example, eBay and PayPal publish a policy requiring all of their mail to be authenticated in order to appear in someone's inbox. In accordance with their policy, Google rejects all messages from eBay or PayPal that aren’t authenticated.
  • Recipients have to do nothing as Google is conducting the DMARC check for you.

See the DMARC Overview for other considerations. See these related articles for additional details:

Proceed to the Creating a DMARC record tab to begin employing DMARC.