Outgoing Email Requirement (DMARC)
Verify outgoing University email with digital signatures
A new email security requirement is being implemented systemwide for all outgoing mail that is sent from an @*umn.edu email address. This requirement is part of a standard used across educational and government entities called Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. By verifying the authenticity of our email senders, we help to combat phishing scams, increase email security, and protect the University of Minnesota’s reputation.
Action May Be Required
No action is required by you if you use Gmail, Salesforce Marketing Cloud, or other University-verified email services. If you use services or systems that are not verified to send email from an @*umn.edu email address (i.e., r.umn.edu, morris.umn.edu, crk.umn.edu, d.umn.edu, umn.edu) to email addresses outside the University, to ensure deliverability you will need to verify that the service or system you use is DMARC compliant. See Action Steps below.
Email Recipients May See a Change
Google Groups and Listserv
As a part of the new email security requirements, if you send email via Google Groups or Listserv, the email sender's name will appear in the "From" header:
- Google Groups: “Jane Q. Public via Google Group name” <[email protected]>
- Listserv: Jane Q. Public <[email protected]>
Unverified Email Services
Emails sent from email systems that are not DMARC compliant will include the tag [UNVERIFIED] in the subject line. For example:
- Subject: [UNVERIFIED] U of M Course Welcome: Process Innovation
Note: Emails sent from a sub-domain (e.g. @math.umn.edu or @neutrino.d.umn.edu) are excluded and will not show [UNVERIFIED] in the subject line.
How does DMARC work?
When you send email from a @*umn.edu (r.umn.edu, morris.umn.edu, crk.umn.edu, d.umn.edu, or umn.edu) address, the email system or service you use (Gmail, Salesforce Marketing Cloud, MailChimp, etc.) must use at least one method for verifying that it is coming from a credible UMN source (i.e. digital signatures).
Your mail must be verified through one of two digital signature tools to pass DMARC:
- DomainKeys Identified Mail (DKIM) - OIT strongly recommends using DKIM signing for applications and systems that support DKIM signatures
- Sender Policy Framework (SPF) - supported if you are sending mail as a sub-domain (for example, sending from @math.umn.edu), otherwise, not recommended
Outgoing email will only be verified if the sender’s email system (or account) has been configured with the appropriate DKIM signatures and/or SPF records. If a umn.edu (or other campus domain) outgoing email fails verification, DMARC will route the email away from the intended recipient’s inbox (see UMN Implementation and Timeline below for more information).
Note: The University recommends using DKIM signing whenever possible but can support either tool. If your application or server only supports SPF, contact Technology Help to ensure it is correctly configured.
1. Check if the email service you use is verified
For an outgoing email to pass DMARC verification, the email service or system you use must have digital signatures set up correctly. The following email services are DMARC compliant and have correct digital signatures configured. If you use these services, no further action is required by you.
- UMN Gmail via web browser, desktop client, or mobile app
- UMN SMTP mail relay service
- UMN Google Groups
- L-Soft Listserv
- Salesforce Marketing Cloud
- Salesforce Pardot
- Drupal Sites (not using a custom module)
- MailChimp (only when configured correctly; configure your MailChimp account)
- Constant Contact (only when configured correctly and DKIM key is submitted; configure your Constant Contact account)
If you use an unverified service or are unsure if the service/system you use is verified, go to action step number two: Test your email for verification. Examples of unverified services include:
- Third-party email services that do not have digital signatures configured correctly (e.g., Constant Contact, Silverpop, iContact, off-campus servers, etc.)
- Non-UMN Gmail accounts that send as a umn.edu address
- For example, a hotmail.com or gmail.com address set to send as a umn.edu address
- Third-party email scripts/servers that don’t send email using on-campus mail services
2. Test your email for verification
Test Your Email
If you use a service that is not approved/verified, or if you are unsure whether or not your service is verified:
- Send a test message to [email protected] from the application/server you intend to use (you will receive an automated reply)
- If you don’t have a way to get an auto-replied email, send a test message to [email protected]
- Check your email header
Note: If you use a verified/approved email service (see list in action item 1, above) that passes either DKIM or SPF, no further action is required by you.
3. Verify your email with digital signatures
If your email does not pass DMARC (does not have DKIM signatures or SPF records correctly set up), you should contact the vendor that provides the application or service to determine if they are able to support DKIM or another method of verifying mail.
Sign with DKIM for your campus domain (Preferred Method)
We recommend you ask the vendor the following:
- Does the vendor support DKIM signing?
- How can I have DKIM configured for my account/service?
Other options to become DMARC-compliant
If your current vendor does not support DKIM signing, there are other ways to verify your email:
- Add or update the SPF record for your subdomain (e.g. xxx.vendor.umn.edu)
- Send via mail relay with a departmental account designated specifically for the purpose of sending verified mail (highly recommended if being used by a vendor)
- Update SPF record for campus domain - static IP addresses/networks only (discouraged)
If you would like additional assistance, please contact Technology Help.
Note: Generally, we discourage the use of SPF records for mail verification. If your vendor only supports SPF, consider using a different vendor that supports DKIM, or contact Technology Help to discuss further options.
University of Minnesota Implementation and Timeline
The University implementation of DMARC is systemwide and will roll out in three phases.
- Phase 1: “From” header changes for Google Groups and Listserv & unverified messages include [UNVERIFIED] tag in the subject line
- Phase 2: Unverified messages are sent to the recipient's spam folder
- Phase 3: Unverified messages are bounced back to the sender
Note: Rollout timelines are subject to change.
Phase 1: "From" Header Changes and Subject Line Tagging
Phase 1: Details
"From" Header Changes
OIT will make technical changes (set DMARC policy flags) that modify how the “From” header looks to recipients when mail is sent from Google Groups and Listserv lists.
Currently, the "From" header shows the sender's name and email address (see example below).
Below are examples of how the "From" header will appear for Listserv and Google Groups after the changes are implemented.
- From: “Jane Q. Public via Google Group name” <[email protected]>
- From: Jane Q. Public <[email protected]>
Subject Line Tagging
For all applications and systems that send mail, any DMARC non-compliant messages will display [UNVERIFIED] in the email subject line. Emails sent from a sub-domain (e.g. @math.umn.edu or @neutrino.d.umn.edu) are excluded and will not show [UNVERIFIED] in the subject line.
Note: Subject line tagging may alter the way people have mail filters set up. If the mail filter is looking for a particular subject line, this change could impact how that filter rule behaves. Be sure to update your mail filters accordingly.
Phase 1: Timeline
- April 28: Rochester
- April 30: Morris and Crookston
- May 5: Duluth
- June 2: Twin Cities, select groups
- December 3: Twin Cities, all users
Phase 2: Unverified Messages Sent to Spam Folder
Phase 2: Details
OIT will make technical changes (set DMARC policy flags) to quarantine email coming from and unverified @*umn.edu email address. After this technical change is in place, unverified email will be delivered to the intended recipient’s spam folder.
Phase 2: Timeline
Phase 2: Timeline
- February 2021: Rochester
- February 2021: Morris
- February 2021: Crookston
- March 2021: Duluth
- April 2021: Twin Cities
Note: These dates are tentative.
Phase 3: Unverified Messages Bounce Back to Sender
Phase 3: Details
The Office of Information Technology (OIT) will make technical changes (set DMARC policy flags) to reject email coming from an unverified @*umn.edu email address. After this technical change is in place, unverified email will not be delivered to the intended recipient, if the recipient’s domain can act on our DMARC protocol, and will bounce back to the sender.
Note: If unverified email is sent to one of the five campus domains, it will not bounce back to the sender and will instead be sent to the recipient's spam folder.
Phase 3: Timeline
- Summer 2021: Rochester
- Summer 2021: Morris
- Summer 2021: Crookston
- Summer 2021: Duluth
- Summer 2021: Twin Cities
Frequently Asked Questions
Do I need to do something if I am not sending mail as umn.edu?
No, the DMARC change only looks at any mail that is being sent from a @umn.edu from sender (or any of the other 4 campus domains: crk.umn.edu, d.umn.edu, morris.umn.edu, r.umn.edu)
What should I do if I sent or received an email with [UNVERIFIED] in the subject line?
If you received an email that includes [UNVERIFIED] in the subject line, respond to the sender and let them know. You may direct them to this website: it.umn.edu/outgoing-email-requirement-dmarc
If you sent an email, and it is brought to your attention that your subject line says [UNVERIFIED], follow the above action steps to verify your mail, or contact Technology Help.
Why does the "From" header in my email look different?
As part the University's DMARC implementation, the header "From" for both Google Groups and Listserv lists will change to be more descriptive of where the message is coming from. This will help determine whether or not mail is DMARC compliant and whether it should be directed away from the recipient's inbox. This change also helps mail sent from verified University sources survive forwarding to email addresses outside of the University system. Without the header "From" change, mail sent from verified @*umn.edu sources would display a security warning if they were forwarded outside of the University.
Do I need to pass both SPF and DKIM?
No, you only need to pass DKIM or SPF alignment in order to be DMARC-compliant.
If I use a mass email tool, will these changes affect mass email deliverability or how messages appear in recipient's inboxes?
Phase 1 will not impact deliverability. Phase 1 only impacts the way messages appear in a user’s inbox if email is sent from an unverified source. To determine if your mass email tool is verified, we recommend sending a test email to [email protected], and you will receive an automated response that tells you whether or not you are verified and have passed DMARC. If you are unable to receive an automated response, please send a test email to [email protected].
The phase 1 “From” header changes only applies to Google Groups and Listserv, so email sent with mass email tools will not be impacted and the "From" header will continue to appear as it does currently.
Phases 2 and 3
In phase 2, email that is sent from an unverified source claiming to be an @*umn.edu email address will be routed to recipients' spam folders.
In phase 3, email that is sent from an unverified source claiming to be an @*umn.edu email address will bounce back to the sender.
The best way to avoid email you send from being impacted by these changes is to verify your mass email tool. To determine if your mass email tool is verified, we recommend sending a test email to [email protected], and you will receive an automated response that tells you whether or not you are verified and have passed DMARC. If you are unable to receive an automated response, please send a test email to [email protected].
Will DMARC impact sub-domains?
No, sub-domains are not in-scope at this time.
Test Your Mail
To determine if your mail is verified, do at least one of the following:
- Send a test email to [email protected] from the application/server you intend to use
- If you don’t have a way to get an auto-replied email, send a test email to [email protected]
- Check your email header
For additional assistance, contact Technology Help.