Skip to main content
日本語 简体中文 繁體中文

[Important] Google Groups Specification Changes Due to Stricter DMARC Policy Enforcement and Impact on HENNGE Email Archive

Updated

Overview

This article describes the impact on email archiving for messages routed via Google Groups due to stricter DMARC policy enforcement, and provides workarounds for customers using Email Archive with Google Workspace.

Details

Thank you for using HENNGE Email Archive.

In recent years, the global adoption of stricter DMARC policies (transitioning to p=reject or p=quarantine) as a countermeasure against email spoofing has been rapidly accelerating.
In response to this trend, Google Workspace has implemented specification changes to maintain the deliverability of business-critical emails routed through Google Groups while meeting the latest stringent security requirements.

Specifically, when a strict DMARC policy (p=reject or p=quarantine) is configured on the sender's domain, Google's infrastructure automatically rewrites the sender address (Header-From) as a protective measure to prevent emails routed via Google Groups from being identified as spoofed and rejected by the recipient's server.

While this is a proactive protective measure by Google to ensure legitimate emails are reliably delivered, it may cause the following impact due to the way email archiving works in HENNGE Email Archive.

Issue and Impact

Some emails sent from external domains to Google Groups addresses may not be recognized as archiving targets by Email Archive and may not be saved.

Cause

When an email is forwarded through Google Groups from a domain with a strict DMARC policy, there is a risk that the recipient's server will identify it as unauthorized and fail to deliver it.
This is because relaying through Google's infrastructure causes the email to be treated as if it was sent from a location different from the original sender.

To mitigate this risk and ensure secure email delivery for customers, Google has introduced a process (a defensive measure) that rewrites the Header-From address to the Google Group address so that DMARC authentication passes successfully.
Reference: Google Support Related Page (External Link)

Example of Header-From Rewriting

※ In the following, "External-User" refers to an external sender (external user).

  • Before rewriting: External-User@(external domain)
  • After rewriting: External-User via Group group-address@your-domain (Google Workspace domain group address)

Emails that have undergone this address rewriting will be treated as outside the scope of archive capture under the conventional delivery specifications.

Workaround (Configuration Change Procedure)

To ensure that emails sent from external domains to Google Groups addresses are reliably archived and managed, regardless of the sender's domain configuration (DMARC policy settings), a configuration change is required in the Google Admin console to supplement the definition of the delivery route.
Please implement the following workaround in accordance with your organization's operational requirements.

Adding a Routing Setting

To include emails sent to Google Groups addresses as archiving targets, please open the following inbound routing setting from your existing routing settings and add (edit) the configuration.
Reference: [Email Archive] Connection Procedure (Google Workspace) - Adding Google Workspace Routing Settings

Target routing

  • HENNGE Email Archive (rsmtpd_inbound)
  • HENNGE Email Archive (bsmtpd_inbound)

※ If routing with the same names listed above does not exist, the target routing settings are those where [1. Affected messages] is set to [Inbound].

Additional Settings

  1. Navigate to [Google Admin console][Apps][Google Workspace][Gmail][Routing] and open the relevant routing setting.

  2. In the section [2. For the above types of messages, do the following][Select all account types to apply this action to], check the box for [Group accounts].

  3. Configuration is complete once both [Active user accounts] and [Group accounts] are checked.

Routing Settings That Must Not Be Changed

Do NOT edit (e.g., check) the following outbound routing settings under any circumstances. 
※ Checking the outbound routing settings above may cause unintended duplicate processing and other issues, which could affect normal email archiving operations in your environment. Please do not make any changes whatsoever.

  • Email Archive (rsmtpd_outbound)
  • Email Archive (bsmtpd_outbound)

If you have any questions regarding this matter, please contact HENNGE One Technical Support.