Outgoing Email Requirement (DMARC)

When you send email from a @*umn.edu (r.umn.edu, morris.umn.edu, crk.umn.edu, d.umn.edu, or umn.edu) address, the email system or service you use (Gmail, Salesforce Marketing Cloud, MailChimp, etc.) must use at least one method for verifying that it is coming from a credible UMN source (i.e. digital signatures).

Your mail must be verified through one of two digital signature tools to pass DMARC:

• DomainKeys Identified Mail (DKIM) - OIT strongly recommends using DKIM signing for applications and systems that support DKIM signatures
• Sender Policy Framework (SPF) - supported if you are sending mail as a sub-domain (for example, sending from @math.umn.edu), otherwise, not recommended

Outgoing email will only be verified if the sender’s email system (or account) has been configured with the appropriate DKIM signatures and/or SPF records. If a umn.edu (or other campus domain) outgoing email fails verification, DMARC will route the email away from the intended recipient’s inbox (see UMN Implementation and Timeline below for more information).

Note: The University recommends using DKIM signing whenever possible but can support either tool. If your application or server only supports SPF, contact Technology Help to ensure it is correctly configured.

For an outgoing email to pass DMARC verification, the email service or system you use must have digital signatures set up correctly. The following email services are DMARC compliant and have correct digital signatures configured. If you use these services, no further action is required by you.

Verified Services

• UMN Gmail via web browser, desktop client, or mobile app
• UMN SMTP mail relay service
• UMN Google Groups
• L-Soft Listserv
• Salesforce Marketing Cloud
• Salesforce Pardot
• Drupal Sites (not using a custom module)
• Hubspot
• AudienceView
• MailChimp (only when configured correctly; configure your MailChimp account)
• Constant Contact (only when configured correctly and DKIM key is submitted; configure your Constant Contact account)

Unverified/Unapproved Services

If you use an unverified service or are unsure if the service/system you use is verified, go to action step number two: Test your email for verification. Examples of unverified services include:

• Third-party email services that do not have digital signatures configured correctly (e.g., Constant Contact, Silverpop, iContact, off-campus servers, etc.)
• Non-UMN Gmail accounts that send as a umn.edu address
  • For example, a hotmail.com or gmail.com address set to send as a umn.edu address
• Third-party email scripts/servers that don’t send email using on-campus mail services

Test Your Email

If you use a service that is not approved/verified, or if you are unsure whether or not your service is verified:

• Send a test message to [email protected] from the application/server you intend to use (you will receive an automated reply)
• If you don’t have a way to get an auto-replied email, send a test message to [email protected]
• Check your email header

Note: If you use a verified/approved email service (see list in action item 1, above) that passes either DKIM or SPF, no further action is required by you. 

If your email does not pass DMARC (does not have DKIM signatures or SPF records correctly set up), you should contact the vendor that provides the application or service to determine if they are able to support DKIM or another method of verifying mail.

Sign with DKIM for your campus domain (Preferred Method)

We recommend you ask the vendor the following:

• Does the vendor support DKIM signing?
• How can I have DKIM configured for my account/service?

Other options to become DMARC-compliant

If your current vendor does not support DKIM signing, there are other ways to verify your email:

• Add or update the SPF record for your subdomain (e.g. xxx.vendor.umn.edu)
• Send via mail relay with a departmental account designated specifically for the purpose of sending verified mail (highly recommended if being used by a vendor)
• Update SPF record for campus domain - static IP addresses/networks only (discouraged)

If you would like additional assistance, please contact Technology Help. 

Note: Generally, we discourage the use of SPF records for mail verification. If your vendor only supports SPF, consider using a different vendor that supports DKIM, or contact Technology Help to discuss further options.

"From" Header Changes

OIT will make technical changes (set DMARC policy flags) that modify how the “From” header looks to recipients when mail is sent from Google Groups and Listserv lists.

Currently, the "From" header shows the sender's name and email address (see example below).

Below are examples of how the "From" header will appear for Listserv and Google Groups after the changes are implemented. 

Google Groups

• From: “Jane Q. Public via Google Group name” <[email protected]>

Listserv

• From: Jane Q. Public <[email protected]>

• April 28, 2020: Rochester
• April 30, 2020: Morris and Crookston
• May 5, 2020: Duluth
• June 2, 2020: Twin Cities, select groups
• December 3, 2020: Twin Cities, all groups

Unverified mail goes to the spam folder

OIT will make technical changes (set DMARC policy flags) to quarantine email coming from an unverified @*.umn.edu email address. After this technical change is in place, unverified email will be delivered to the intended recipient’s spam folder.

• February 2021: Rochester
• February 2021: Morris
• February 2021: Crookston
• May 2021: Duluth
• June 2021: Twin Cities

Unverified mail bounces back to the sender

The Office of Information Technology (OIT) will make technical changes (set DMARC policy flags) to reject email coming from an unverified @*.umn.edu email address. After this technical change is in place, unverified email will not be delivered to the intended recipient, if the recipient’s domain can act on our DMARC protocol, and will bounce back to the sender.

Note: If unverified email is sent to one of the five campus domains, it will not bounce back to the sender and will instead be sent to the recipient's spam folder.

• July 15, 2021: Rochester
• July 22, 2021: Morris
• July 22, 2021: Crookston
• July 29, 2021: Duluth
• August 12, 2021: Twin Cities

Apply DMARC Policy to Sub-domains

Existing sub-domains can continue to send mail even if they are not DMARC-compliant. New sub-domains will need to be DMARC-compliant before they are allowed to send mail. Mail that is not DMARC-compliant will bounce back to the sender. Refer to the Action Steps above to ensure mail is DMARC-compliant. 

Phase 4 will allow for the implementation of Brand Indicators for Message Identification (BIMI) in December 2021. 

• October 2021: Applied policy to existing sub-domains to allow them to continue sending mail (no action required)
• November 2021: Updating University-wide DMARC policy to include all sub-domains
• December 2021: Implement Brand Indicators for Message Identification (BIMI)

• Send a test message to [email protected] from the application/server you intend to use
• If you don’t have a way to get an auto-replied email, send a test message to [email protected]
• Check your email header

No, the DMARC change only looks at any mail that is being sent from a @*.umn.edu from sender (or any of the other 4 campus domains: crk.umn.edu, d.umn.edu, morris.umn.edu, r.umn.edu)

If you received an email that includes [UNVERIFIED] in the subject line, respond to the sender and let them know. You may direct them to this website: it.umn.edu/outgoing-email-requirement-dmarc

If you sent an email, and it is brought to your attention that your subject line says [UNVERIFIED], follow the above action steps to verify your mail, or contact Technology Help.

As part the University's DMARC implementation, the header "From" for both Google Groups and Listserv lists will change to be more descriptive of where the message is coming from. This will help determine whether or not mail is DMARC compliant and whether it should be directed away from the recipient's inbox. This change also helps mail sent from verified University sources survive forwarding to email addresses outside of the University system. Without the header "From" change, mail sent from verified @*.umn.edu sources would display a security warning if they were forwarded outside of the University.

No, you only need to pass DKIM or SPF alignment in order to be DMARC-compliant.

Phase 1

Phase 1 will not impact deliverability. Phase 1 only impacts the way messages appear in a user’s inbox if email is sent from an unverified source. To determine if your mass email tool is verified, we recommend sending a test email to [email protected], and you will receive an automated response that tells you whether or not you are verified and have passed DMARC. If you are unable to receive an automated response, please send a test email to [email protected]. 

The phase 1 “From” header changes only applies to Google Groups and Listserv, so email sent with mass email tools will not be impacted and the "From" header will continue to appear as it does currently.

Phases 2 and 3

In phase 2, email that is sent from an unverified source claiming to be an @*.umn.edu email address will be routed to recipients' spam folders. 

In phase 3, email that is sent from an unverified source claiming to be an @*.umn.edu email address will bounce back to the sender. 

The best way to avoid email you send from being impacted by these changes is to verify your mass email tool. To determine if your mass email tool is verified, we recommend sending a test email to [email protected], and you will receive an automated response that tells you whether or not you are verified and have passed DMARC. If you are unable to receive an automated response, please send a test email to [email protected]. 

Yes, please refer to Phase 4 above for details and timeline information for sub-domains.