Email Security: Domain-based Message Authentication (DMARC)
As part of an ongoing effort to combat phishing scams and increase email security, the Office of Information Technology (OIT) is implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. DMARC monitors mass mailing, hosted vendor applications, or mail servers used to send mail as the University (e.g. umn.edu).
How DMARC Works
DMARC is an email authentication, policy, and reporting protocol. It works in two ways:
- It detects unauthorized activity, and provides information about how to handle unauthorized email. For example, the email may be put in the spam folder.
- It identifies legitimate senders, either emails sent by UMN Gmail or by approved/verified email services.
DMARC uses one of two technologies to verify emails:
- Domain Keys Identified Mail (DKIM)
- Sender Policy Framework (SPF) - supported if you are sending mail as a sub-domain (for example, sending from @math.umn.edu)
The University recommends using DKIM whenever possible but can support either technology.
UMN Implementation of DMARC
Currently we are monitoring "spoofed" emails. Over time, we will move forward with the DMARC implementation by increasing the amount of email that is marked as spam, or that is bounced/rejected from unapproved/unverified services.
Everyone in the umn.edu domain will be impacted. However, the rollout will be gradual so that impact to our users is minimized.
Implementing DMARC will not cause your email messages to be delayed. DMARC only affects how your email is "viewed" by the receiver's domain setup.
What Do You Need to Do?
UMN Gmail Users
Individual UMN Gmail users do not need to do anything. You can continue to use Gmail as you normally would.
UMN Mass Email Senders
If you are using an approved email service (see list below), you do not need to do anything. You can continue to send mass email as you normally would.
Examples of Verified Email Services
- UMN Gmail via web browser, desktop client, or mobile app
- UMN SMTP mail relay service
- UMN Google Groups
- L-Soft Listserv
- Salesforce Marketing Cloud
- Drupal Sites (not using a custom module)
- Amazon Web Services (AWS)
- Technolutions (Slate)
If you are using an unverified email service, you will need to configure your SPF or DKIM settings so that you meet authentication standards and DMARC can route your outgoing mass email to recipients' inboxes. Check your vendor's documentation for instructions. If you need assistance, contact Technology Help.
Examples of Unverified Email Services
- Third-party email services that are not configured to work with the new DMARC controls
(e.g., Constant Contact, Silverpop, MailChimp, iContact, off-campus servers, etc.)
- Non-UMN Gmail accounts that send as a umn.edu address
(e.g., a hotmail.com or gmail.com address set to send as a umn.edu address)
Test Whether Emails Will be Affected
Technical staff who would like to test whether emails will be affected can do so by sending a message from a umn.edu address that originates from a non-University mail server (ie: MailChimp) to [email protected], where it will be reviewed by OIT Email administrators.
For more information, contact Technology Help.