This feature is only available with G Suite Enterprise and G Suite Enterprise for Education. To use this feature with your Government edition account, you need to upgrade to G Suite Enterprise. For details, contact your reseller or sales representative.
As a G Suite administrator, you can set up a third-party archiving solution to archive Gmail journal messages. This solution can be useful to:
- Comply with email requirements, such as SEC Rule 17a-4
- Continue using a third-party archiving solution
- Allow user access to archives
How integration works
To integrate Gmail with a third-party archiving solution, specify an email address where journal messages are forwarded. If you specify more than one email address, journal messages are sent to all email addresses.
We recommend you set up TLS compliance when you use a third-party archiving solution. This ensures Gmail requires TLS encryption when sending mail to the third-party archiving solution.
Set up a third-party archiving solution
From the Admin console Home page, go to AppsG SuiteGmailAdvanced settings.
Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
- (Optional) On the left, select the organization.
- Under Routing, scroll to Third-party email archiving or, in the search field, enter Third-party email archiving.
- Enter the email address for where you want to send journal messages.
- Click Add Setting.
- At the bottom, click Save.
How messages are managed
Versions of the messages that are journaled
Important: Journaled messages are not exempt from Gmail policies that reject messages containing potential viruses and harmful software. For more information, see File types blocked by Gmail.
- Inbound messages—The version of the message received by the user is the one journaled. For example, if a content compliance policy triggers and strips the attachment, the journal copy won’t have the attachment.
- Outbound messages—The version of the message sent by the user is journaled. For example, if a content compliance policy triggers and strips the attachment, the journal copy would retain the attachment.
- Internal messages—For messages sent within your domain, acts like an inbound message for the recipient and an outbound message for the sender.
Messages that are sent to admin quarantines
- Inbound messages—If an inbound message is sent to admin quarantines, the journal copy isn’t sent until the message is released from the quarantine. If a quarantined message is denied, the user never sees the message and therefore it’s not archived.
- Outbound messages—If an outbound message is sent to admin quarantines, a journal copy is sent when the user clicks Send, irrespective of whether the message is quarantined.
Messages with multiple recipients
Sometimes when a message is sent to multiple recipients, one group can receive a different version of the messages due to compliance or routing policies.
- Inbound messages—A separate journal copy with the relevant message version is sent corresponding to each recipient. To determine whether multiple recipients received the same message, the archiving solution should use deduplication logic.
- Outbound messages—The copy sent by the sender is journaled.
- Internal messages— Internal recipients will remain on the message. Although some internal recipients may not actually get the message due to content compliance or other policies, delivery to some or all recipients is captured.
Messages with unrecognized recipients
Journals aren’t sent for messages received for unrecognized recipients. To journal for a particular user, the user must be registered.
Retry mechanism for SMTP failure codes
If a message isn’t successfully delivered to the journal address and the Simple Mail Transfer Protocol (SMTP) host returns a temporary error (4xx), Gmail tries to resend the messages for 8 days. If the SMTP host returns a permanent error (5xx), Gmail does not try to resend the message.
We recommend configuring the third-party archive to reject messages that aren’t Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signed. Google uses DKIM signing in 2 ways:
- Google key on the customer’s behalf (if customer has not setup)
- Customer key
We recommend that you set up TLS compliance to secure the connection to third-party archiving solutions.