Integrate Gmail with a 3rd-party archiving solution

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Plus. Compare your edition

As a Gmail administrator, you can set up a third-party archiving solution to archive Gmail journal messages. This solution can be useful to:

  • Comply with email requirements, such as SEC Rule 17a-4
  • Continue using a third-party archiving solution
  • Allow user access to archives

How integration works

To integrate Gmail with a third-party archiving solution, specify an email address where journal messages are forwarded. If you specify more than one email address, journal messages are sent to all email addresses.

We recommend you set up TLS compliance when you use a third-party archiving solution. This ensures Gmail requires TLS encryption when sending mail to the third-party archiving solution.

Set up a 3rd-party archiving solution

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenRouting.
  3. (Optional) On the left, select the organization.
  4. Under Routing, scroll to Third-party email archiving or, in the search field, enter Third-party email archiving.
  5. Enter the email address for where you want to send journal messages.
  6. Click Add Setting.
  7. At the bottom, click Save.

How messages are managed

Versions of the messages that are journaled

Important: Journaled messages are not exempt from Gmail policies that reject messages containing potential viruses and harmful software. For more information, see File types blocked by Gmail.

  • Inbound messages—The version of the message received by the user is the one journaled. For example, if a content compliance policy triggers and strips the attachment, the journal copy won’t have the attachment.
  • Outbound messages—The version of the message sent by the user is journaled. For example, if a content compliance policy triggers and strips the attachment, the journal copy would retain the attachment.
  • Internal messages—For messages sent within your domain, acts like an inbound message for the recipient and an outbound message for the sender.

Messages that are sent to admin quarantines

  • Inbound messages—If an inbound message is sent to admin quarantines, the journal copy isn’t sent until the message is released from the quarantine. If a quarantined message is denied, the user never sees the message and therefore it’s not archived. 
  • Outbound messages—If an outbound message is sent to admin quarantines, a journal copy is sent when the user clicks Send, irrespective of whether the message is quarantined.

Messages with multiple recipients

Sometimes when a message is sent to multiple recipients, one group can receive a different version of the messages due to compliance or routing policies. 

  • Inbound messages—A separate journal copy with the relevant message version is sent corresponding to each recipient. To determine whether multiple recipients received the same message, the archiving solution should use deduplication logic. 
  • Outbound messages—The copy sent by the sender is journaled.
  • Internal messages— Internal recipients will remain on the message. Although some internal recipients may not actually get the message due to content compliance or other policies, delivery to some or all recipients is captured.

Messages with unrecognized recipients

Journals aren’t sent for messages received for unrecognized recipients. To journal for a particular user, the user must be registered. 

Retry mechanism for SMTP failure codes

If a message isn’t successfully delivered to the journal address and the Simple Mail Transfer Protocol (SMTP) host returns a temporary error (4xx), Gmail tries to resend the messages for 8 days. If the SMTP host returns a permanent error (5xx), Gmail does not try to resend the message. 

Security considerations

We recommend configuring the third-party archive to reject messages that aren’t Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signed. Google uses DKIM signing in 2 ways:

  • Google key on the customer’s behalf (if customer has not setup)
  • Customer key

We recommend that you set up TLS compliance to secure the connection to third-party archiving solutions.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1388703576223431310
true
Search Help Center
true
true
true
true
true
73010
false
false