Enhance security for forged spam (DMARC)


Manage suspicious emails with DMARC

Spammers can forge the "From" address on email messages to make messages appear to come from someone in your domain. If spammers use your domain to send spam or junk email, your domain quality can be negatively affected. Users who get the forged emails can mark them as spam or junk, and this can impact valid messages sent from your domain.

Gmail supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent this type of spam. Use DMARC to define how Gmail handles messages that appear to be sent from your domain but that are actually spam.

Learn more about how DMARC works.

Before you start

Before you set up DMARC, we recommend you set up Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). DMARC uses SPF and DKIM to verify that messages are authentic. Messages that do not pass SPF or DKIM trigger your DMARC policy.

How DMARC works

DMARC helps email senders and receivers verify incoming messages by authenticating the sender's domain. DMARC also defines the action to take on suspicious incoming messages.

To pass the DMARC check:

  • Incoming messages must be authenticated by DKIM, SPF, or both.
  • The authenticated domain must align with the domain in message From header address.

Learn more about DMARC alignment.

If an incoming message doesn't pass the DMARC check, the DMARC policy defines what happens to message. There are three possible actions:

  • Take no action on the message.
  • Mark the message as spam and hold it for more processing (quarantine).
  • Tell receiving servers to reject the message.

Read more Tips for using DMARC.

DMARC with third-party email providers

For DMARC to effectively manage suspicious messages, messages should be sent from your own domain. Messages sent from third-party email providers for your organization can appear invalid and be rejected, depending on the DMARC policy.

To prevent messages from third-party email providers from being marked invalid:

  • Share your DKIM key with the mail provider so they can add the key to outgoing messages.
  • Ask the mail provider to send messages through your network.

Tips for using DMARC

Here are some tips for using DMARC:

  • You can set up DMARC to send you a daily report from all participating email providers. The report shows:
    • How often messages are authenticated
    • How often invalid messages are seen
    • DMARC policy actions that occur
  • You can update your DMARC policy based on what you learn from the daily reports. For example, you can change your policy from monitor (none) to quarantine to reject if you see that valid messages are being authenticated.
  • Your policy can be strict or relaxed. For example, eBay and PayPal policies require all messages from their domains be authenticated to appear in someone's inbox. To meet these policies, Google rejects all messages from eBay or PayPal that aren’t authenticated.
  • To authenticate messages, DMARC looks at the domain in the From header. The domain in the From header is compared to the envelope sender domain. Learn more about how DMARC uses From headers with SPF and DKIM.
  • To see example messages and how DMARC filters spam messages, see the SPF and DKIM sections of the DMARC specification.
  • Recipients don't have to do anything because Gmail conducts the DMARC check for you.

For more tips, see the DMARC Overview.

Start using DMARC

To start using DMARC, go to Turn on DMARC.


Was this helpful?
How can we improve it?