Email Security: Domain-based Message Authentication (DMARC)
As part of an ongoing effort to combat phishing scams and increase email security, the Office of Information Technology (OIT) is implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol.
How DMARC Works
DMARC is an email authentication, policy, and reporting protocol. It works in two ways:
- It detects unauthorized activity, and provides information about how to handle unauthorized email. For example, the email may be put in the spam folder.
- It identifies legitimate senders, either emails sent by UMN Gmail or by approved/verified email services.
DMARC uses one of two technologies to verify emails:
The University will be using DKIM as we implement DMARC.
UMN Implementation of DMARC
Currently we are monitoring “spoofed” emails. Over time, we will move forward with the DMARC implementation by increasing the amount of email that is marked as spam, or that is bounced/rejected from unapproved/unverified services.
Everyone in the umn.edu domain will be impacted. However, the rollout will be gradual so that impact to our users is minimized.
Implementing DMARC will not cause your email messages to be delayed. DMARC only affects how your email is “viewed” by the receiver’s domain setup.
What Do You Need to Do?
UMN Gmail Users
Individual UMN Gmail users do not need to do anything. You can continue to use Gmail as you normally would.
UMN Mass Email Senders
If you are using an approved email service (see list below), you do not need to do anything. You can continue to send mass email as you normally would.
Examples of Approved/Verified Email Services
- UMN Gmail via web browser, desktop client, or mobile app
- UMN SMTP mail relay service
- UMN Google Groups
- L-Soft Listserv
- Salesforce Marketing Cloud
If you are using an unapproved/unverified email service (see list below), please contact Technology Help so that we can help you develop a plan to become compliant.
Examples of Unapproved/Unverified Email Services
- Third-party email services that are not configured to work with the new DMARC controls
(e.g., Constant Contact, Silverpop, MailChimp, iContact, off-campus servers, etc.)
- Non-UMN Gmail accounts that send as a umn.edu address
(e.g., a hotmail.com or gmail.com address set to send as a umn.edu address)
Test Whether Emails Will be Affected
Technical staff who would like to test whether emails will be affected can do so by following these steps. Note: These instructions are written to apply to an email that uses a umn.edu address, but is originating from a non-University mail server.
- Open an email in Gmail.
- Click the drop-down menu beside the Reply button and select Show original.
- Search for "dmarc="
- If you find a line that begins with "dmarc=pass" and ends with "header.from=umn.edu" then the email will not be affected by the new controls being implemented.
- If you find a line that begins with "dmarc=fail" or "dmarc=softfail" and ends with "header.from=umn.edu" then the email will be affected by the new controls being implemented (and you should discuss options).
You can also send a message to firstname.lastname@example.org, where it will be reviewed by OIT Email administrators.
For more information, contact Technology Help.