Notification

Duet AI is now Gemini for Google Workspace. Learn more

Route journal messages to Google Vault

You can set up Google Workspace and Gmail to keep Microsoft Exchange journal messages in Google Vault. Use the Inbound email journal acceptance in Vault setting to specify which messages to keep and for how long. You can also specify IP address ranges for journaling, and create custom messages for emails that aren't sent to Vault.

To keep a user's messages in Vault, the user must have a Google Workspace account with Gmail turned on.

More about Microsoft Exchange journaling

Journaling lets you save a copy (journal), of email messages in your organization and send them to a mailbox on an Exchange server. Journaling is different from archiving. Journaling records your users’ messages. Archiving is a way to store copies in a separate environment for regulatory compliance, data retention, or server maintenance.

An Exchange journal message contains the original message, including all headers and envelope information. The envelope information includes the sender and all recipients, including Bcc recipients and recipients in distribution lists. This information is required to comply with most regulations.

Step 1: Set up a receiving account in Google Workspace

  1. Create an account and email address that is in your domain but isn't used by anyone in your organization. For example, if your domain is solarmora.com, add an email address such as exchange-journal@solarmora.com.

    This account must have a Google Workspace license that supports Vault. To check if the account supports Vault, visit License requirements.

  2. Put the account in its own organizational unit. For detailed steps, visit Add an organizational unit and Move users to an organizational unit.
  3. (Optional) This account isn’t associated with anyone in your organization, and people in your organization shouldn't send messages to the email address. So, you may want to hide it your Directory. For detailed steps, visit Hide a user from the Directory.

Step 2: Set up Gmail message retention in Vault

  1. Sign in to vault.google.com.
  2. Click Retentionand thenCustom Rulesand thenCreate.
  3. Under Service, select Gmail, then click Continue.
  4. Under Organizational unit, select the organizational unit you created in Step 1: Set up the receiving account.
  5. Click Continue.
  6. Under Conditions, specify which messages are affected by this setting:
    • Date sent: If you specify only a start date, the rule applies to all messages sent after that date. If you specify only an end date, the rule applies to all messages sent before that date.
    • Terms: Use terms to specify which messages to keep. For example, to keep only messages received from external users, enter NOT from:*@your-domain. Or, to retain only messages sent to external users, enter NOT to:*@your-domain.

      You can use all supported search operators except wildcards (*). If your key phrase or value starts with a hyphen, such as -1000%, put it in quotation marks so it’s not interpreted as a NOT operator. You can't use is:chat to apply a Gmail retention rule to chat messages in Google Chat. To set retention rules for chat messages, set a Chat retention rule. We recommend you test your terms in a Vault search to make sure they match data as you expect

  7. Click Continue.
  8. Under Duration, set how long to keep messages:
    • Indefinitely: Permanently keeps messages affected by this rule.
    • Retention period: Delete messages after a time that you specify. Enter the time in number of days, from 1 to 36,500.

      Journal messages can accumulate quickly and can't be deleted manually. We recommend that you purge all messages when the retention period expires. This way, you don’t keep messages you no longer need and you might save on eDiscovery costs.

  9. If you set a retention period in Step 8, choose what to do with messages when the retention period ends:
    • Purge only permanently deleted messages: Deletes messages that have already been deleted from the users' Trash.
    • Purge messages from Gmail mailboxes and permanently deleted messages. This rule doesn’t affect drafts: Deletes all messages, including messages that aren't deleted in Gmail. Doesn't delete drafts or email templates.
    • Purge messages from Gmail mailboxes and permanently deleted messages. This rule purges drafts: Deletes all messages, including messages that aren't deleted, drafts, and email templates, choose the third option.

Important: Don’t set a hold on the email address that you set up in Step 1: Set up the receiving account. Holds prevent all messages from being deleted.

Step 3: Set up Gmail to accept journal messages

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. Scroll to Inbound email journal acceptance in Vault and check the Enable box. 
  5. In the settings below the Enable box, take these steps:
    Setting option What to do
    Receive journal messages at the following address.

    Enter the email address you set up in Step 1: Set up a receiving address in Google Workspace.

    Only accept journal messages from this sender

    (Optional) Rejects messages from all senders except from the preferred sender that you enter here. This address must match the exact From address that your Exchange server uses for journal messages. If you use multiple Exchange servers, we recommend leaving this field blank.

    Bounce email address for failed journal deliveries Enter an email address to get bounce messages for journal messages. Be aware that journal bounce messages can impact email server performance.
    Reject journal messages that are not DKIM/SPF authenticated (Optional) Select this option to prevent journaling messages that haven't been authenticated by DKIM and SPF. This is the default selection.
    Reject journal messages for unrecognized recipients

    (Optional) Select this option to prevent journaling messages that don't include at least one recognized recipient. This is the default selection.

    If any of unrecognized users are aliases or aren’t licensed for Vault, Exchange continually logs the event and retries the message. You'll get repeated Exchange errors.

    When this option isn't selected, journal messages to unrecognized users are rejected dropped without a notification. As a result, you can’t identify which users’ messages aren’t being retained. If you have users who aren’t licensed for Vault but should be, you can't identify them from journaling. To avoid this, we recommend all impacted users have a Vault license.

    IP addresses/ranges (Optional) Only accept journal messages from certain IP ranges. Messages outside the range are rejected. Click Add, enter the IP address ranges of your Exchange servers, then click Save.

    If these IP ranges are not hosted IP ranges shared among multiple customers, include the journal IP ranges in the inbound mail gateway. For details, go to Set up an inbound mail gateway.

    Edit the default rejection notice (Optional) Create a custom message for journal bounce messages. The bounce message contains both your custom text and the default bounce text.
  6. Click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more

You can track changes in the Admin console audit log.

Step 4: Set up the Exchange server to forward journal messages

 If you’re using Exchange Online, follow these steps instead.

Expand all  |  Collapse all & go to top

1. Before you begin
  • If you previously set up Exchange journaling, you might have already completed some of these steps. However, we recommend that you follow each step in this process to ensure that Exchange journaling is configured properly.  
  • Google Workspace support does not provide support for on-premise mail servers or third-party products. In the event of an Exchange issue, consult your Exchange administrator. 
  • These instructions are designed to work with common Exchange scenarios. Any changes to your Exchange configuration should be made in consultation with your Exchange administrator.
2. Create SMTP contact & configure settings

To forward journal messages in your journaling mailboxes to the receiving address, you must add a new contact or update an existing contact in Microsoft Active Directory. Microsoft refers to this contact as the custom SMTP recipient because the Exchange journaling server forwards all journal messages to your receiving address using SMTP.

Create a new SMTP contact

  1. Open Active Directory Users and Computers.
  2. Right-click the organizational unit where you want to create the contact and select Newand thenContact.
    The custom SMTP recipient must match the email address that you added in the Receive journal messages at the following address field (above on this page).
  3. Enter the following information:
    • First Name: Google
    • Last Name: Vault
    • Display Name: Google Vault
  4. Click OK.
  5. On the Mailbox server, open the Exchange Management Console.
  6. Expand Recipient Configuration, right-click Mail Contact, and select New Mail Contact.
  7. Click Existing Contact, select the Google Vault contact you just created, and click OK.
  8. Click Next.
  9. For External Email Address, click Edit and enter the same address that you created for the receiving account (above on this page), for example, exchange-journal@solarmora.com.
  10. Click OKand thenNextand thenNew.

Configure the message format settings

In Exchange 2007, journal reports are sent in S/TNEF format. In Exchange 2007 SP1 and Exchange 2010, you can send journal reports in S/TNEF or MIME. Use MIME output for journal reports. MIME is only supported with Exchange 2007 SP1 and newer versions of Exchange. Earlier versions are not supported. For more information about Exchange versions, refer to your Microsoft documentation.

  1. On the Mailbox server, open the Exchange Management console.
  2. Expand Recipient Configuration and select Mail Contact.
  3. Select the SMTP contactand thenclick Properties.
  4. Click General and for Use MAPI rich text format, click Never.
    With this setting, journal reports are sent in MIME rather than S/TNEF.
3. Set up journaling mailbox & create distribution list

You can set up several journaling mailboxes and mailbox databases on one or more Exchange servers. When setting up a journaling mailbox, you must place it in a mailbox database where you do not plan to turn on journaling.

Set up the journaling mailbox and create the distribution list for journaling

  1. On the Mailbox server, open the Exchange Management console.
  2. Expand Recipient Configuration, right-click Mailbox, and select New Mailbox.
  3. Click User Mailboxand thenNext.
  4. Select New Userand thenclick Next.
  5. Select the organizational unit where you want to create the journaling mailbox.
  6. For First Name, enter Archive.
  7. For Last Name, enter Master.
  8. For Name, enter Archive Master.
  9. For User logon name (User Principal Name), enter AMaster.
  10. Enter and confirm the password for the user.
  11. Uncheck the User must change password at next logon boxand thenclick Next.
  12. Select the appropriate mailbox database, messaging records management policy, and Exchange ActiveSync mailbox policyand thenclick Next.
  13. Review the configuration summary. If you need to make changes, click Back
  14. Click New to create the mailbox.
  15. In Active Directory, create a new distribution list (group) and name it Journal Recipient.
  16. Add the following members to the distribution list (group):
    1. SMTP contact—The same address you created in Create an SMTP contact (above on this page).
    2. Archive Master—You created this in step 8 (above on this page).
4. Turn on journaling

Depending on your version of Exchange, you can turn on standard or premium journaling. With standard journaling, you configure journaling for each relevant mailbox database. With premium journaling, you configure rules that identify the groups of senders and recipients for whom messages are journaled. For details on the type of journaling your Exchange version supports, consult your Microsoft documentation.

Depending on the size of your organization and the configuration of your rules, you may have one or many journaling mailboxes. In circumstances where you have numerous journaling mailboxes with large volumes of journal reports, you might want to dedicate specific resources to those mailbox databases.

Turn on standard journaling

  1. Open the Exchange Management Console.
  2. Expand Server Configuration and thenselect Mailbox.
  3. Select the server for the mailbox database where you want to turn on journaling.
  4. Right-click the mailbox databaseand thenclick Properties.
  5. Click Generaland thenJournal Recipient.
  6. For Send Journal reports to, click Browse, select Journal Recipient (the distribution list that you created of recipients of journaled messages), and click OK.
  7. Click OK.
    All journaled messages for users on this mailbox database are now sent to the Journal Recipient distribution list. 
  8. Repeat the steps for each mailbox database where you want journaling.

Turn on premium journaling

  1. Ensure that the Journaling agent is enabled on the Hub Transport server:
    • Issue the Get-TransportAgent command. If an agent name is not returned, the agent is not enabled.
    • If needed, to enable the Journaling agent, issue the Enable-TransportAgent -Identity “Journaling agent” command.
  2. On the Hub Transport Server, open the Exchange Management Console.
  3. Expand Organization Configuration and select Hub Transport.
  4. Click Journalingand thenNew Journal Rule and enter a name for the journal rule.
  5. For Send Journal reports to, click Browse and select Journal Recipient (the distribution list that you created of recipients of journaled messages).
  6. For Scope, select the scope of the journal rule.
    • To apply the rule to a single recipient (for Journal Messages for Recipient), click Browse and select the appropriate recipient.
    • To apply the rule to multiple recipients (for Journal Messages for Recipient), click Browse and select the appropriate distribution list.
  7. Click Newand thenFinish.
    All journaled messages for users on this Hub Transport server are now sent to AMaster.
  8. Repeat the steps for each Hub Transport server where you want journaling.
5. Create policy to delete messages from journaling mailbox

To ensure sufficient storage space for journal reports, you must create a Managed Content Setting rule to automatically delete all messages from the Inbox folder, at an interval you specify.

We suggest that you initially set this interval to every 7 days. Then, monitor the journaling mailbox size during the first few weeks after you turn on journaling and adjust the interval as needed. If you want to include all journal reports in your scheduled backups, set an appropriate interval to ensure that journal reports are not deleted before the backup runs.

Step 1: Create a managed content setting for the Inbox folder

  1. In the Exchange Management Console, expand Organization Configuration and select Mailbox.
  2. Click Managed Default Folders and select Inbox.
  3. In the action pane, click New Managed Content Settings to open the New Managed Content Settings wizard.
  4. For Name, enter Google Vault Content Setting.
  5. For Message Type, select All Mailbox Content.
  6. Check the Length of retention period day(s) box.
  7. Enter the number of days that you want to retain messages.
  8. For Retention period starts, select When delivered, end date for calendar and recurring tasks.
  9. For Action to take at the end of retention period, select Permanently delete.
  10. Click Next and thenNext to bypass the Journal page.
  11. Click New and thenFinish.

Step 2: Create a managed folder mailbox policy

  1. In the Exchange Management Console, expand Organization Configuration and select Mailbox.
  2. In the action pane, click New Managed Folder Mailbox Policy to open the New Managed Folder Mailbox Policy wizard.
  3. For Managed folder mailbox policy name, enter Google Vault Policy.
  4. For Specify the managed folders to link with this policy, click Add to open the Select Managed Folder dialog box.
  5. Select Inboxand thenclick OK.
  6. Click New and thenFinish.

Step 3: Apply the managed folder mailbox policy to the journaling mailbox

  1. In the Exchange Management Console, expand Recipient Configuration and select Mailbox.
  2. Right-click Archive Master and select Properties.
  3. Click Mailbox Settingsand thenMessaging Records Management and select Properties.
  4. Check the Managed folder mailbox policy box and click Browse.
  5. Select Google Vault Policy and click OK.
  6. Click OK to confirm.

Step 4: Configure the Managed Folder Assistant to run the policy

  1. In the Exchange Management console, expand Server Configuration and select Mailbox.
  2. Right-click the Mailbox server that hosts the Archive Master journaling mailbox and click Properties.
  3. Click Messaging Records Management and for Schedule the Managed Folder Assistant, select Use Custom Schedule and click Custom.
  4. For Schedule, select the times and days for the managed folder assistant to run.
    We suggest running the assistant during off-peak hours.
  5. Click OK.
6. Remove journaling mailbox from Global Address List

Now, you need to remove the journaling mailbox from your Exchange Global Address List to prevent users from sending email messages directly to the archive.

  1. Use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox so that it's removed from the Global Address List. 
  2. Issue the Set-Mailbox AMaster -HiddenFromAddressListsEnabled $true command.
7. Prevent email from going directly to journaling mailbox

Finally, set up a delivery restriction for the AMaster user to prevent anyone from sending email messages directly to the journaling mailbox.

  1. Use the Set-Mailbox cmdlet to modify the settings for the journaling mailbox. 
  2. Issue the Set-Mailbox AMaster -AcceptMessagesOnlyFrom AMaster command.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu