Prevent outgoing spam with DMARC
Spammers can sometimes forge the "From" address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.
Google Apps follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.
You must send all email messages through your own domain for DMARC to be effective. Messages sent on your behalf through third-party providers will appear unauthenticated and therefore can be rejected, depending upon your policy disposition. To authenticate messages sent from third-party providers, either share your DKIM key with them for inclusion on messages or have them relay messages through your network.
If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound email streams. DMARC relies upon these technologies to ensure signature integrity. A message that fails SPF and/or DKIM checks will trigger the DMARC policy. A single check failure using either technology allows the message to pass DMARC. See the corresponding SPF and DKIM sections of the DMARC specification for example messages filtered by these tools.
Here are some things to keep in mind:
- You'll receive a daily report from each participating email provider so you can see how often your messages are authenticated, how often invalid messages are identified, and policy actions requested and taken by IP address.
- You can adjust your policy as you learn from the data in these reports. For example, you can adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.
- Your policy can be strict or relaxed. For example, eBay and PayPal publish a policy requiring all of their messages to be authenticated in order to appear in someone's inbox. In accordance with their policy, Google rejects all messages from eBay or PayPal that aren’t authenticated.
- Recipients don't have to do anything, because Google is conducting the DMARC check for you.
See the DMARC Overview for other considerations. See these related articles for additional details:
- Control unauthenticated mail from your domain
- Email authentication
- SPF records
- Authenticate email with a domain key
Proceed to the Creating a DMARC record tab to begin employing DMARC.