Set up Google Vault for journal messages

You can use Google Vault to retain Microsoft Exchange journal messages and perform eDiscovery. You can also configure alerts, change the default rejection notice for your journal messages, and configure other controls. To forward users' journal messages to Gmail and retain them with Vault, the users must have Google Workspace accounts with Gmail turned on.

About Microsoft Exchange journaling

Exchange journaling lets you record a copy, or journal, of email communications in your organization and send them to a dedicated mailbox on an Exchange server. Journaling is different from archiving. Journaling records your users’ messages. Archiving is a way to store copies in a separate environment for regulatory compliance, data retention, or server maintenance.

An Exchange journal message contains the entire original message, including all headers and transport envelope information. The envelope information includes the sender and all recipients, including Bcc recipients and recipients in distribution lists. This data is required for compliance with most regulations.

Step 1. Create the receiving account

  1. Add the account. For example, if your domain is solarmora.com, add an account similar to exchange-journal@solarmora.com.
  2. The account must have a Google Workspace license that supports Vault. Go to License requirements to check if your account supports Vault.
  3. Put the account in its own organizational unit. For instructions, go to Add an organizational unit and Move users to an organizational unit.
  4. (Optinional) Hide the account in your Directory because this account isn’t for a real user and shouldn’t get email. For instructions, go to Hide a user from the Directory.

Step 2. Set up Gmail message retention in Vault

  1. Sign in to Vault.
  2. Follow the instructions in Retain Gmail messages with Vault to set a custom retention rule with the following parameters:
    1. Scope–Select the organizational unit that contains the email that will accept the journal message.
    2. Conditions–If needed, use terms to specify which messages to retain. For example:
      1. Retain only messages received from external users by entering NOT from:*@your-domain, where your-domain is something like example.com.
      2. Retain only messages sent to external users by entering NOT to:*@your-domain.
      3. Don’t enter any terms to retain all messages.
    3. Duration and action–Select Retention period. Enter how many days to keep messages and what to do with them when the retention rule expires. Journal messages can accumulate rapidly and aren’t deleted manually. We recommend that you purge all messages when the retention period expires. This way, you don’t keep messages you no longer need. And, you might save on eDiscovery costs.

Important: Don’t set a hold on the email that accepts journal messages. Holds prevent all messages from being deleted.

Step 3: Set up journal message acceptance in Gmail

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. On the left, select the top-level organization, typically your primary domain.

  4. Click Inbound email journal acceptance in Vault and check the Enable box.
  5. For Receive journal messages at the following address, enter an email address from your domain to accept journal messages from your Exchange server. Specify an address that is not being used by an actual user, for example, exchange-journal@solarmora.com.

    Important: This address must match the address that you specify when you configure your Exchange server or servers for journaling. Microsoft refers to this address as the custom SMTP recipient because the Exchange journaling server will forward all journal reports to this address using SMT.

  6. (Optional) To reject messages that are not sent from a preferred email address, for Only accept journal messages from this sender, enter the preferred email address. This address must match the exact From address that your Exchange server uses for journal messages.
    Note: If you use multiple Exchange servers, we recommend leaving this field blank.
  7. For Bounce email address for failed journal deliveries, enter an email address for receiving an alert whenever a bounce message is created for a journal message.
    Note: Retries for bounced journal messages can cause server queue backups.
  8. (Optional) To reject journal messages that are not DKIM/SPF authenticated, check the Reject journal messages that are not DKIM/SPF authenticated box and, optionally, for Edit the default rejection notice, enter a rejection notice.

    If a message is rejected, the rejection message includes the text that you enter as well as the default NDR message. For example, you can enter text, such as "Journal rejection," which helps you recognize the message as an Exchange journal.

  9. (Optional) To reject journal messages that don’t contain at least one recognized user, check the Reject journal messages for unrecognized recipients box.

    Important: The box is checked by default. If any of the unrecognized users are aliases or aren’t licensed for Vault, Exchange continually logs the event and retries the message. In turn, you receive repeated Exchange errors.

    • If you uncheck the box, any journal message containing unrecognized users is dropped without an alert. As a result, you can’t see which users’ messages aren’t being retained. Therefore, if there are users who aren’t licensed for Vault but should be, you have no way to identify them.
    • To help avoid these issues, we recommend that you try to ensure that all relevant users are licensed for Vault.
  10. (Optional) To only accept journal messages from certain IP ranges, click Add and enter the IP address ranges of your Exchange servers. Journal messages not sent from an IP within the specified ranges are rejected. After entering the IP ranges, click Save.

    Note: If these IP ranges are not hosted IP ranges shared among multiple customers, include the journal IP ranges in the inbound mail gateway. For details, go to Set up an inbound mail gateway.

  11. Click Add setting or Save to close the dialog box.
  12. At the bottom, click Save.

It can take up to 24 hours for changes to propagate to user accounts. You can track changes in the Admin console audit log.

Step 4: Configure your Exchange server to forward journal messages to the receiving address

Now that Gmail is set up to accept inbound email journal messages, and Vault is set up to retain them, configure your Exchange server to forward journal messages to an email address retained by Vault.

If you previously set up Exchange journaling, you might have already completed some of these steps. However, we recommend that you follow each step in this process to ensure that Exchange journaling is configured properly. You can adjust your configuration where needed. If you are using Exchange Online, follow these steps.

Note: Google Workspace support does not provide support for on-premise mail servers or third-party products. In the event of an Exchange issue, consult your Exchange administrator. These instructions are designed to work with common Exchange scenarios. Any changes to your Exchange configuration should be made in consultation with your Exchange administrator.

Expand all  |  Collapse all & go to top

Create an SMTP contact

To forward journal messages in your journaling mailboxes to the receiving address, you must add a new contact to your Microsoft Active Directory, or you’ll need to update an existing contact. Microsoft refers to this contact as the custom SMTP recipient, because the Exchange journaling server forwards all journal messages to your receiving address using SMTP.

Important: The custom SMTP recipient must match the email address that you added in the Receive journal messages at the following address field, described above.

Specify an address that is not being used by an actual user within your domain. For example, if your domain is solarmora.com, enter an address like "exchange-journal@solarmora.com."

In addition to creating the SMTP contact, you must also configure the message format settings for the contact. In Exchange 2007, journal reports are sent in S/TNEF format. In Exchange 2007 SP1 and Exchange 2010, you can send journal reports in S/TNEF or MIME. Use MIME output for journal reports. For more information about Exchange, visit the Microsoft website.

Note: MIME is only supported with Exchange 2007 SP1 and newer versions of Exchange. Earlier versions are not supported.

To create the SMTP contact:

  1. Open Active Directory Users and Computers.
  2. Right-click the organizational unit in which you want to create the contact, select New, and then click Contact.
  3. Enter the following information:
    • First Name: Google

    • Last Name: Vault

    • Display Name: Google Vault

  4. Click OK.
  5. Open the Exchange Management Console on the Mailbox server.
  6. Expand Recipient Configuration, right-click Mail Contact, and select New Mail Contact.
  7. Click Existing Contact, browse to and select the Google Vault contact you just created, and then click OK.
  8. Click Next.
  9. In the External Email Address field, click Edit, enter the same address that you entered in the Vault Settings for Exchange Journals feature in the Google Admin console; for example, exchange-journal@solarmora.com.
  10. Click OK and then Next and then New.

Configure the message format settings for the SMTP contact in Exchange 2007 or Exchange 2010:

  1. Open your Exchange Management console.
  2. Expand Recipient Configuration, and select Mail Contact.
  3. In the result pane, select the SMTP contact.
  4. In the action pane, under the SMTP contact, click Properties.
  5. On the General tab, in the Use MAPI rich text format list, click Never.

    With this setting, journal reports are sent in MIME rather than S/TNEF.

Set up the journaling mailbox

Based on the number of journaling mailboxes you need, set up the necessary journaling mailboxes and mailbox databases on one or more Exchange servers. When setting up a journaling mailbox, you must place it in a mailbox database where you do not plan to turn on journaling.

To set up the journaling mailbox:

  1. On the Mailbox server, open the Exchange Management console.
  2. Expand Recipient Configuration, right-click Mailbox, and select New Mailbox.
  3. Click User Mailboxand thenNext.
  4. Select New User and click Next.
  5. Select the organization where you want to create the journaling mailbox.
  6. For First Name, enter Archive.
  7. For Last Name, enter Master.
  8. For Name, enter Archive Master.
  9. For User logon name (User Principal Name), enter AMaster.
  10. Enter and confirm the password for the user.
  11. Uncheck the User must change password at next logon boxand thenclick Next.
  12. Select the appropriate mailbox database, messaging records management policy, and Exchange ActiveSync mailbox policyand thenclick Next.
  13. Review the configuration summary. If you need to make changes, click Back.
  14. When your configuration is complete, click New to create the mailbox
Create a distribution list for journaling

You must create a distribution list of the recipients of journaled messages.

Create the distribution list for journaling:

  1. In the Active Directory, create a new distribution list (group), and name it Journal Recipient.
  2. Add the following members to the distribution list (group):
    • SMTP contact—The same address you created in 1. Create an SMTP contact; for example, exchange-journal@solarmora.com.
    • Archive Master—You created this in 2. Set up the journaling mailbox.
Turn on journaling

A journaling mailbox serves only to collect journal reports. Microsoft Exchange Server 2007 and 2010 Standard and Enterprise versions each support standard and premium journaling. With standard journaling, you configure journaling for each relevant mailbox database. With premium journaling, you configure rules that identify the groups of senders and recipients for whom messages are journaled.

Depending on the size of your organization and the configuration of your rules, you may have one or many journaling mailboxes. In circumstances where you have numerous journaling mailboxes with large volumes of journal reports, you may want to dedicate specific resources to those mailbox databases.

Enable standard journaling:

  1. Open the Exchange Management Console on the Mailbox server on which you want to enable journaling.
  2. Expand Server Configuration, and select Mailbox.
  3. In the result pane, select the server for the mailbox database for which you want to enable journaling.
  4. In the work pane, right-click the mailbox database, and click Properties.
  5. On the General tab, click Journal Recipient.
  6. For the Send Journal reports to email address, click Browse, select the Journal Recipient distribution list (group) (that you created in 3. Create a distribution list for journaling), and click OK.
  7. Click OK.

All journaled messages for users on this mailbox database are now sent to the Journal Recipient distribution list. Repeat this process for each mailbox database for which you want to enable journaling.

Enable premium journaling:

  1. Ensure that the Journaling agent is enabled on the Hub Transport server:

    Issue the Get-TransportAgent command to determine whether or not the agent is enabled. If no agent name is returned, the agent is not enabled.

    To enable the Journaling agent, issue the Enable-TransportAgent -Identity “Journaling agent” command.

  2. Open the Exchange Management Console on the Hub Transport Server.
  3. Expand Organization Configuration, and select Hub Transport.
  4. In the result pane, click the Journaling tab.
  5. In the action pane, click New Journal Rule, and enter a name for the journal rule.
  6. For the Send Journal reports to e-mail address, click Browse, and select the Journal Recipient distribution group (that you created in 3. Create a distribution list for journaling).
  7. In the Scope section, select the scope of the journal rule.

    To apply the rule to a single recipient (for Journal Messages for Recipient), click Browse, and select the appropriate recipient.

    To apply the rule to multiple recipients (for Journal Messages for Recipient), click Browse, and select the appropriate distribution list.
  8. Click New, and then click Finish.

All journaled messages for users on this Hub Transport server are now sent to AMaster. Repeat this process for each Hub Transport server on which you want to enable journaling.

Create a policy to delete messages from the journaling mailbox

To ensure that your Exchange journaling server has sufficient storage space for handling journal reports, you must create a Managed Content Setting rule to automatically delete all messages from the Inbox folder, at an interval you specify.

Note: We suggest that you initially set this interval to every 7 days. Then, monitor the journaling mailbox size during the first few weeks after you turn on journaling and adjust the interval as needed. If you want to include all journal reports in your scheduled backups, set an appropriate interval to ensure that journal reports are not deleted before the backup runs.

Implementing the deletion of forwarded messages involves the following procedures:

  • Create a managed content setting for the Inbox folder.
  • Create a managed folder mailbox policy.
  • Apply the managed folder mailbox policy to the journaling mailbox.
  • Configure the Managed Folder Assistant to run the policy.

Create a managed content setting for the Inbox folder:

  1. In Exchange Management Console, expand Organization Configuration, and select Mailbox.
  2. In the results pane, click the Managed Default Folders tab, then select the Inbox folder.
  3. In the action pane, click New Managed Content Settings to open the New Managed Content Settings wizard.
  4. In the Name of the managed content settings to be displayed in the Exchange Management Console field, enter Google Vault Content Setting.
  5. For Message Type, select All Mailbox Content.
  6. Check the Length of retention period day(s) box.
  7. Enter the number of days you want to retain messages.
  8. In the Retention period starts list, select When delivered, end date for calendar and recurring tasks.
  9. In the Action to take at the end of retention period list, select Permanently delete.
  10. Click Next and then Next to bypass the Journal page.
  11. Click New and then Finish.

Create a managed folder mailbox policy:

  1. In Exchange Management Console, expand Organization Configuration, and select Mailbox.
  2. In the action pane, click New Managed Folder Mailbox Policy to open the New Managed Folder Mailbox Policy wizard.
  3. In the Managed folder mailbox policy name field, enter Google Vault Policy.
  4. In the Specify the managed folders to link with this policy list, click Add to open the Select Managed Folder dialog box.
  5. Select the Inbox folder, and then click OK.
  6. Click New and then Finish.

Apply the managed folder mailbox policy to the journaling mailbox:

  1. In Exchange Management Console, expand Recipient Configuration, and select Mailbox.
  2. In the result pane, right-click Archive Master, and select Properties.
  3. Click the Mailbox Settings tab.
  4. Click Messaging Records Management, and select Properties.
  5. Check the Managed folder mailbox policy box, and click Browse.
  6. Select Google Vault Policy, and click OK.
  7. Click OK two more times.

Configure the Managed Folder Assistant to run the policy:

  1. In the Exchange Management console, expand Server Configuration, and select Mailbox.
  2. In the result pane, right-click the Mailbox server that hosts the Archive Master journaling mailbox, and click Properties.
  3. Click the Messaging Records Management tab.
  4. In the Schedule the Managed Folder Assistant list, select Use Custom Schedule, and click Custom.
  5. Under Schedule, select the times and days on which you want the managed folder assistant to run. We suggest you run the assistant during off-peak hours.
  6. Click OK.
Remove the journaling mailbox from the global address list

In step 2, you set up the journaling mailbox. You now must remove the journaling mailbox from your Exchange Global Address List as a precaution to prevent users from sending email messages directly to the archive.

To remove the journaling mailbox from the Global Address List, use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox so that it's removed from the Global Address List. Issue the Set-Mailbox AMaster -HiddenFromAddressListsEnabled $true command.

Prevent email from going directly to the journaling mailbox

In step 2, you set up the journaling mailbox. You now must set up a delivery restriction for the AMaster user to prevent anyone from sending email messages directly to the journaling mailbox.

To set the delivery restriction, use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox to prevent anyone from sending email messages directly to the that mailbox. Issue the Set-Mailbox AMaster -AcceptMessagesOnlyFrom AMaster command.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false