Prevent spoofing and span with DMARC
From: https://support.google.com/a/answer/2466580?sjid=16475661690433716483-NC
Help prevent spoofing and spam with DMARC
Protect against spoofing & phishing, and help prevent messages from being
marked
as spam
Tip:
Google Workspace uses 3 email standards to help prevent spoofing and
phishing of your organization’s Gmail. These standards also help ensure
your outgoing messages aren’t marked as spam. We recommend Google
Workspace administrators always set up these email standards for Gmail
Learn more about how standard email authentication helps keep your
organization’s email safe.
DMARC is a standard email authentication method. DMARC helps mail
administrators prevent hackers and other attackers from spoofing their
organization and domain. Spoofing is a type of attack in which the From
address of an email message is forged. A spoofed message appears to be from
the impersonated organization or domain.
DMARC also lets you request reports from email servers that get messages
from your organization or domain. These reports have information to help
you
identify possible authentication issues and malicious activity for messages
sent from your domain.
Get started
Go directly to the steps for setting up DMARC, later in this article.
About DMARC
Expand section | Collapse all
Video: What is DMARC?
Video: Set up DMARC
How DMARC prevents spoofing & phishing
Spammers can spoof your domain or organization to send fake messages that
impersonate your organization. DMARC tells receiving mail servers what to do
when they get a message that appears to be from your organization, but doesn't
pass authentication checks, or doesn’t meet the authentication requirements in
your DMARC policy record. Messages that aren't authenticated might be
impersonating your organization, or might be sent from unauthorized servers.
DMARC is always used with these two email authentication methods or checks:
- Sender Policy Framework (SPF) lets the domain owner authorize IP addresses
that are allowed to send email for the domain. Receiving servers can verify
that messages appearing to come from a specific domain are sent from
servers
allowed by the domain owner.
- Domain Keys Identified Mail (DKIM) adds a digital signature to every sent
message. Receiving servers use the signature to verify messages are
authentic, and weren't forged or changed during transit.
Expand section | Collapse all & go to top
What is spoofing?
Spoofed messages are often used for malicious purposes, for example to
communicate false information or to send harmful software. Spoofed messages
are also used for phishing, a scam that tricks people into entering
sensitive information like usernames, passwords, or credit card data.
Spoofing can have a lasting effect on your organization’s reputation, and
impacts the trust of your users and customers.
Sometimes spammers forge messages so that they appear to come from well
-known or legitimate organizations. If spammers use your organization’s
name to send fake messages, people who get these messages might report them
as spam. If many people report these message as spam, legitimate messages
from your organization might also be marked as spam.
Authenticates messages (DMARC alignment)
DMARC passes or fails a message based on whether the message’s From: header
matches the sending domain, when SPF or DKIM checks the message. This is called
alignment. So, before you set up DMARC for your domain, you should turn on SPF
and DKIM.
Learn about DMARC alignment.
Manages messages that fail authentication
(receiver policy)
If a mail server gets a message from your domain that fails the SPF or DKIM
check (or both), DMARC tells the server what to do with the message. There are
three possible options, defined by your DMARC policy:- Policy is set to none - Take no action on messages, and deliver them normally.
- Policy is set to quarantine - Mark messages as spam, and send them to recipients' spam folder, or to quarantine.
- Policy is set to reject - Reject the messages, and don’t deliver them to recipients.
Learn about DMARC enforcement options.
Sends you reports so you can monitor and change your policy
What you need to do
""
Before you set up DMARC
Set up SPF and DKIM for your domain
Set up a group or mailbox for DMARC reports
Get your domain host sign-in information
Check for an existing DMARC record (optional)
Make sure third-party mail is authenticated
For details, go to Before you set up DMARC.
""
Define your DMARC policy record
DMARC policy options
DMARC alignment options
DMARC report options
For details, go to Define your DMARC policy.
""
Add your DMARC record
Add or update your record
DMARC record format
DMARC record tags
Add domains or subdomains
For details, go to Add your DMARC record.
""
Tutorial: Recommended DMARC rollout
Start with a relaxed DMARC policy
Review DMARC reports
Quarantine a small percentage of messages
Reject all unauthenticated messages
For details, go to Tutorial: Recommended DMARC rollout.
""
DMARC reports
Who should use DMARC reports
Create a dedicated group or mailbox for your reports
Get help from a third-party service (recommended)
Reading your DMARC reports
For details, go to DMARC reports.
""
Troubleshoot DMARC issues
Verify messages pass authentication
Check your mail sending practices
Get more information with Email Log Search
Follow recommended troubleshooting steps
For details, go to Troubleshoot DMARC.
Related topics
Help prevent spoofing, phishing, and spam
DMARC RFC 7489