Set up Google Vault for journal messages
You can use Google Vault to archive journal messages and perform eDiscovery. You can also configure alerts, change the default rejection notice for your journal messages, and configure other controls, described below.
For example, you can set up Vault to archive Microsoft® Exchange journal messages. First, you configure the Advanced Gmail setting to specify the email address in your domain that'll receive the journal messages. Then, you configure the Exchange server to forward the messages to Vault using this email address.
If you don't route intra-domain email to Google, you’ll need to create a subdomain and route all journal messages to Google Vault. (Details below.)
To forward users' journal messages to Vault, they must have G Suite accounts with Gmail enabled.
Retries for bounced journal messages can cause server queue backups.
About Microsoft Exchange journaling
Microsoft Exchange journaling lets you record a copy of, or journal, email communications in your organization and send them to a dedicated mailbox on an Exchange Server. Journaling is different from archiving. Journaling records your users’ messages. Archiving is a way to store those copies in a separate environment for regulatory compliance, data retention, or server maintenance.
An Exchange journal message contains the entire original message, including all headers, and the transport envelope information. The envelope information includes the sender and all recipients, including Bcc recipients and recipients in distribution lists. This required data for compliance with most regulations.
Initial step: Go to Gmail advanced settings in the Google Admin console
From the Admin console Home page, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
On the left, select the top-level organization, typically your primary domain.
Scroll to the Inbound email journal acceptance in Vault setting in the Routing section, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit.
Go to Configure acceptance of inbound journal messages to configure the setting.
Enter an email address in your domain to accept journal messages from your Exchange server. Specify an address that is not being used by an actual user within your domain. For example, if your domain is solarmora.com, enter an address like firstname.lastname@example.org.
Important: This address must match the address that you specify when you configure your Exchange server or servers for journaling. Microsoft refers to this address as the custom SMTP recipient, because the Exchange journaling server will forward all journal reports to this address using SMTP.
(Optional) Enter an email address in this field to reject messages that are not sent from this address. This address must match the exact From address that your Exchange server uses for journal messages.
Note: We suggest that you leave this field blank if you use multiple Exchange servers.
Specify an email address for receiving an alert whenever a bounce message is created for a journal message.
Check the Reject journal messages that are not DKIM/SPF authenticated box to reject journal messages that are not DKIM/SPF authenticated.
Check the Reject journal messages for unrecognized users box to reject journal messages that don’t contain at least one recognized user.
Important: The box is checked by default. If any of the unrecognized users are aliases or aren’t registered for Vault, Exchange continually logs the event and retries the message, with the result that you receive repeated Exchange errors.
If you uncheck the box, any journal message containing unrecognized users is dropped silently. As a result, you can’t see which users’ messages aren’t being archived, so if there are users who aren’t registered for Vault but should be, you have no way to identify them.
To help avoid these issues, we recommend that you try to ensure that all relevant users are registered for Vault.
(Optional) Click Add and enter the IP address ranges of your Exchange servers to only accept journal messages from these IP ranges. Journal messages not sent from an IP within the specified ranges are rejected. After entering the IP ranges, click Save.
Note: Include your journal IP ranges in the inbound mail gateway if these IP ranges are not hosted IP ranges shared among multiple customers. Learn about adding an inbound mail gateway entry.
(Optional) If an Exchange journal message is rejected, the rejection message includes the text that you enter, in addition to the default NDR message. For example, you can enter text, such as "Journal rejection," which helps you recognize the message as an Exchange journal.
Click Add setting or Save to close the dialog box. Any settings you add will be highlighted on the Gmail Advanced settings page.
At the bottom, click Save.
It can take up to an hour for changes to propagate to user accounts. You can track changes in the Admin console audit log.
To create a subdomain in G Suite, add a domain alias to your primary domain, such as subdomain.solarmora.com.
To route messages to Google's mail servers, add the subdomain to the MX records for your primary domain. The MX record for this subdomain should point to Google's SMTP servers.
(Optional) To authenticate journal messages, set up DKIM and SPF records for the subdomain.
To specify the email address that'll receive your Exchange journal messages, add an email on the subdomain to the Inbound email journal acceptance in Vault setting. Do not create the email address as a G Suite user.
To send messages outside your primary domain, create a new send connector in Microsoft Exchange that sends all messages for the subdomain to the MX records for Google.
After configuring the acceptance of inbound email journal messages in Vault, configure your Exchange server to forward journal messages to Google Vault. This is a 7-step process, described below.
Note: If you previously set up Exchange journaling, you might've already completed at least some of these steps. However, we recommend that you follow each step in this process to ensure that Exchange journaling is configured properly, and to adjust your configuration where needed.
1. Create an SMTP contact
To forward journal messages in your journaling mailboxes to Google Vault, you must add a new contact to your Microsoft Active Directory, or you’ll need to update an existing contact. Microsoft refers to this contact as the custom SMTP recipient, because the Exchange journaling server forwards all journal messages to your Vault address using SMTP.
Specify an address that is not being used by an actual user within your domain. For example, if your domain is solarmora.com, enter an address like "email@example.com."
In addition to creating the SMTP contact, you must also configure the message format settings for the contact. In Exchange 2007, journal reports are sent in S/TNEF format. In Exchange 2007 SP1 and Exchange 2010, you can send journal reports in S/TNEF or MIME. Use MIME output for journal reports. For more information about Exchange, visit the Microsoft website.
To create the SMTP contact:
- Open Active Directory Users and Computers.
- Right-click the organizational unit in which you want to create the contact, select New, and then click Contact.
- Enter the following information:
First Name: Google
Last Name: Vault
Display Name: Google Vault
- Click OK.
- Open the Exchange Management Console on the Mailbox server.
- Expand Recipient Configuration, right-click Mail Contact, and select New Mail Contact.
- Click Existing Contact, browse to and select the Google Vault contact you just created, and then click OK.
- Click Next.
- In the External Email Address field, click Edit, enter the same address that you entered in the Vault Settings for Exchange Journals feature in the Google Admin console; for example, firstname.lastname@example.org.
- Click OK Next New.
Configure the message format settings for the SMTP contact in Exchange 2007 or Exchange 2010:
- Open your Exchange Management console.
- Expand Recipient Configuration, and select Mail Contact.
- In the result pane, select the SMTP contact.
- In the action pane, under the SMTP contact, click Properties.
- On the General tab, in the Use MAPI rich text format list, click Never.
With this setting, journal reports are sent in MIME rather than S/TNEF.
2. Set up the journaling mailbox
Open the Exchange Management console on the Mailbox server.
Expand Recipient Configuration, right-click Mailbox, and select New Mailbox.
Click User Mailbox Next.
Select New User, and click Next.
Select the organization in which you want to create the journaling mailbox.
In the First Name field, enter Archive.
In the Last Name field, enter Master.
In the Name field, enter Archive Master.
In the User logon name (User Principal Name) field, enter AMaster.
Enter and confirm the password for this user.
Uncheck the User must change password at next logon box.
Select the appropriate mailbox database, messaging records management policy, and Exchange ActiveSync mailbox policy, and then click Next.
Review the Configuration Summary. To make changes, click Back. When you're satisfied with your configuration, click New to create the mailbox
3. Create a distribution list for journaling
You must create a distribution list of the recipients of journaled messages.
Create the distribution list for journaling:
- In the Active Directory, create a new distribution list (group), and name it Journal Recipient.
- Add the following members to the distribution list (group):
- SMTP contact—The same address you created in 1. Create an SMTP contact; for example, email@example.com.
- Archive Master—You created this in 2. Set up the journaling mailbox.
4. Turn on journaling
A journaling mailbox serves only to collect journal reports. Microsoft Exchange Server 2007 and 2010 Standard and Enterprise versions each support standard and premium journaling. With standard journaling, you configure journaling for each relevant mailbox database. With premium journaling, you configure rules that identify the groups of senders and recipients for whom messages are journaled.
Depending on the size of your organization and the configuration of your rules, you may have one or many journaling mailboxes. In circumstances where you have numerous journaling mailboxes with large volumes of journal reports, you may want to dedicate specific resources to those mailbox databases.
Enable standard journaling:
- Open the Exchange Management Console on the Mailbox server on which you want to enable journaling.
- Expand Server Configuration, and select Mailbox.
- In the result pane, select the server for the mailbox database for which you want to enable journaling.
- In the work pane, right-click the mailbox database, and click Properties.
- On the General tab, click Journal Recipient.
- For the Send Journal reports to email address, click Browse, select the Journal Recipient distribution list (group) (that you created in 3. Create a distribution list for journaling), and click OK.
- Click OK.
All journaled messages for users on this mailbox database are now sent to the Journal Recipient distribution list. Repeat this process for each mailbox database for which you want to enable journaling.
Enable premium journaling:
- Ensure that the Journaling agent is enabled on the Hub Transport server:
Issue the Get-TransportAgent command to determine whether or not the agent is enabled. If no agent name is returned, the agent is not enabled.
To enable the Journaling agent, issue the Enable-TransportAgent -Identity “Journaling agent” command.
- Open the Exchange Management Console on the Hub Transport Server.
- Expand Organization Configuration, and select Hub Transport.
- In the result pane, click the Journaling tab.
- In the action pane, click New Journal Rule, and enter a name for the journal rule.
- For the Send Journal reports to e-mail address, click Browse, and select the Journal Recipient distribution group (that you created in 3. Create a distribution list for journaling).
- In the Scope section, select the scope of the journal rule.
To apply the rule to a single recipient (for Journal Messages for Recipient), click Browse, and select the appropriate recipient.
To apply the rule to multiple recipients (for Journal Messages for Recipient), click Browse, and select the appropriate distribution list.
- Click New, and then click Finish.
All journaled messages for users on this Hub Transport server are now sent to AMaster. Repeat this process for each Hub Transport server on which you want to enable journaling.
5. Create a policy to delete messages from the journaling mailbox
To ensure that your Exchange journaling server has sufficient storage space for handling journal reports, you must create a Managed Content Setting rule to automatically delete all messages from the Inbox folder, at an interval you specify.
Note: We suggest that you initially set this interval to every 7 days. Then, monitor the journaling mailbox size during the first few weeks after you turn on journaling and adjust the interval as needed. If you want to include all journal reports in your scheduled backups, set an appropriate interval to ensure that journal reports are not deleted before the backup runs.
Implementing the deletion of forwarded messages involves the following procedures:
- Create a managed content setting for the Inbox folder.
- Create a managed folder mailbox policy.
- Apply the managed folder mailbox policy to the journaling mailbox.
- Configure the Managed Folder Assistant to run the policy.
Create a managed content setting for the Inbox folder:
- In Exchange Management Console, expand Organization Configuration, and select Mailbox.
- In the results pane, click the Managed Default Folders tab, then select the Inbox folder.
- In the action pane, click New Managed Content Settings to open the New Managed Content Settings wizard.
- In the Name of the managed content settings to be displayed in the Exchange Management Console field, enter Google Vault Content Setting.
- For Message Type, select All Mailbox Content.
- Check the Length of retention period day(s) box.
- Enter the number of days you want to retain messages.
- In the Retention period starts list, select When delivered, end date for calendar and recurring tasks.
- In the Action to take at the end of retention period list, select Permanently delete.
- Click Next Next to bypass the Journal page.
- Click New Finish.
Create a managed folder mailbox policy:
- In Exchange Management Console, expand Organization Configuration, and select Mailbox.
- In the action pane, click New Managed Folder Mailbox Policy to open the New Managed Folder Mailbox Policy wizard.
- In the Managed folder mailbox policy name field, enter Google Vault Policy.
- In the Specify the managed folders to link with this policy list, click Add to open the Select Managed Folder dialog box.
- Select the Inbox folder, and then click OK.
- Click New Finish.
Apply the managed folder mailbox policy to the journaling mailbox:
- In Exchange Management Console, expand Recipient Configuration, and select Mailbox.
- In the result pane, right-click Archive Master, and select Properties.
- Click the Mailbox Settings tab.
- Click Messaging Records Management, and select Properties.
- Check the Managed folder mailbox policy box, and click Browse.
- Select Google Vault Policy, and click OK.
- Click OK two more times.
Configure the Managed Folder Assistant to run the policy:
- In the Exchange Management console, expand Server Configuration, and select Mailbox.
- In the result pane, right-click the Mailbox server that hosts the Archive Master journaling mailbox, and click Properties.
- Click the Messaging Records Management tab.
- In the Schedule the Managed Folder Assistant list, select Use Custom Schedule, and click Custom.
- Under Schedule, select the times and days on which you want the managed folder assistant to run. We suggest you run the assistant during off-peak hours.
- Click OK.
6. Remove the journaling mailbox from the global address list
In step 2, you set up the journaling mailbox. You now must remove the journaling mailbox from your Exchange Global Address List as a precaution to prevent users from sending email messages directly to the archive.
To remove the journaling mailbox from the Global Address List, use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox so that it's removed from the Global Address List. Issue the Set-Mailbox AMaster -HiddenFromAddressListsEnabled $true command.
7. Prevent email from going directly to the journaling mailbox
In step 2, you set up the journaling mailbox. You now must set up a delivery restriction for the AMaster user to prevent anyone from sending email messages directly to the journaling mailbox.
To set the delivery restriction, use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox to prevent anyone from sending email messages directly to the that mailbox. Issue the Set-Mailbox AMaster -AcceptMessagesOnlyFrom AMaster command.