Enhance security for forged spam (DMARC)


Manage suspicious emails with DMARC

Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality can be negatively affected. Users who get the forged emails can mark them as spam or junk, and this can impact valid messages sent from your domain.

Gmail supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent this type of spam. Use DMARC to define how Gmail handles messages that appear to be sent from your domain but that are actually spam.

Your users don't have to do anything because Gmail does the DMARC check.

Learn more about DMARC.

Before you start

Set up Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) before you set up DMARC:
DMARC uses SPF and DKIM to verify that messages are authentic. Messages that do not pass SPF or DKIM trigger your DMARC policy.

How DMARC works

DMARC helps email senders and receivers verify incoming messages by authenticating the sender's domain. DMARC also defines the action to take on suspicious incoming messages.

DMARC checks messages

To pass the DMARC check:

  • Incoming messages must be authenticated by SPF, DKIM, or both.
  • The authenticated domain must align with the domain in the message From: header address.

Learn more about:

  • DMARC alignment.
  • How DMARC filters spam messages, in the SPF and DKIM sections of the DMARC specification.

DMARC actions for failed messages

When an incoming message doesn't pass the DMARC check, the DMARC policy defines what happens to the message. There are three possible actions:

  • Take no action on the message.
  • Mark the message as spam and deliver to recipient's Gmail spam folder.
  • Tell receiving servers to reject the message.

DMARC reports

  • You can set up DMARC to send you a daily report from all participating email providers. The report shows:
    • How often messages are authenticated
    • How often invalid messages are seen
    • DMARC policy actions that occur
  • Based on what you learn from the daily reports, you can refine your DMARC policy. For example, you can change your policy from none (monitor only) to quarantine to reject after you see that valid messages are being authenticated.

DMARC and third-party email providers

For DMARC to effectively manage suspicious messages, messages should be sent from your own domain. Messages sent from third-party email providers for your organization can appear invalid and be rejected, depending on the DMARC policy.

To prevent messages from third-party email providers from being marked invalid:

  • Share your DKIM key with the mail provider so they can add the key to outgoing messages.
  • Ask the mail provider to send messages through your network.

Start using DMARC

To start using DMARC, go to Turn on DMARC.

Was this helpful?
How can we improve it?