DMARC Email Project
ITS will implement DMARC (Domain-based Message Authentication, Reporting and Conformance) on its email system, a policy and reporting protocol for email authentication. Implementing DMARC protects users by combating phishing, email scams, and spoofing of our email domains.
Why implement DMARC?
Email technology continues to evolve and DMARC has become one of the common solutions to verify email messages are legitimate.
- Provides separation of approved and unapproved email messages. Without DMARC, it is possible for fraudulent spoofing of our university email domains. Properly implementing DMARC technology adds credibility to university messages.
- DMARC has become an industry standard technology with large providers such as Google/Gmail, and some government agencies, requiring systems to implement the protocols. To continue successfully communicating with these providers, we must adapt.
- Participating in DMARC compliance will help increase overall email authentication. As other organizations implement similar changes, phishing and other inappropriate spoofing will become less effective.
What is DMARC and how does it work?
DMARC provides protection against spam and phishing emails and other spoofing attempts by adding an encrypted DKIM (DomainKeys Identified Message) signature and/or SPF (Sender Policy Framework) to verify the authenticity of any sender attempting to use the @uiowa.edu domain, or any subdomains. This added safeguard provides an extra level of protection for any emails sent from an authorized University of Iowa email address. DMARC also improves email reputation and Inbox placement.
A DMARC policy can be used to authenticate a sender’s domain, verify that the email transmitted by a sender are legitimate, and identify and monitor all approved/verified senders and third-party vendor applications (i.e., Constant Contact or Mailchimp) used to transmit mail on UI’s behalf. A DMARC policy also provides instructions to other email servers on how unauthenticated email should be handled by putting them in quarantine or Junk Email folder and in some cases, rejecting the email so that it is never delivered.
How will DMARC implementation affect you?
Most email users will notice no change in service.
If you are a department or staff member who uses a third-party email platform like Mailchimp, Constant Contact, or Salesforce Marketing Cloud, ITS staff will start to engage with you about this project. If you know you will be impacted, you can request a meeting by filling out the DMARC form for DMARC setup and validation.
Benefits of DMARC
- Reputation: Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain. In some cases, simply publishing a DMARC record can result in a positive reputation bump.
- Inbox Placement: DMARC improves inbox placement and keeps messages from being flagged as junk email or being blocked entirely. Some government agencies, other organizations, and other mail systems (Gmail, Yahoo, etc.) are moving towards requiring email coming into their systems to be authenticated.
- Visibility: DMARC reports increase visibility into your email program by letting you know who is sending email from your domain.
- Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem become more secure and more trustworthy.
If you have a third-party application you are using to send email from a university address and you want to improve your Inbox placement or not have your messages flagged as [External], please complete the DMARC Request Form and we will set up a meeting with you to get started.
- Assess: Identify the top sending systems and email addresses that spoof @uiowa.edu addresses and work with those individuals to set up DMARC policy
- Implement: Deploy DMARC policy with a steadily increasing level of DMARC security over 6-8 months
- New Operational Mode: Modify or implement new DMARC policy configurations as necessary
We are identifying the larger sending systems and email addresses that are spoofing @uiowa.edu addresses and will work with them to setup DMARC/DKIM/SPF for their third-party app. Beginning January 2024, we will start to implement a DMARC policy of p=quarantine so that messages not authenticated, may get dropped so departments will need to work with ITS to start the process of setting up DMARC.
Departments/IT Staff should fill out the DMARC Request Form to setup a meeting to start the process.
- A subdomain must be used instead of @uiowa.edu (e.g., its.uiowa.edu) and setting up SPF and/or DKIM. The configuration should be based on the From address being used in mailings and the capabilities of the third-party email service.
- Third party email service providers (e.g. Mailchimp, Constant Contact, etc) will need to have DMARC/DKIM/SPF setup in order to send messages as @uiowa.edu
TIMELINE
The plan is to have P=Reject implemented by 10/1/2024. We will reach this goal with a phased approached by starting with the p = Quarantine option for messages that are spoofing @uiowa.edu addresses. For example, on February 6, 2024, if you spoof an email to 100 users, the receiving email system should drop 5 of them. Senders may or may not receive an error or undeliverable report depending on the receiving system.
| DMARC Setting | Implementation Date |
| P=Quarantine %=0 | January 9, 2024 |
| P=Quarantine %=5 | February 6, 2024 |
| P=Quarantine %=25 | March 5, 2024 |
| P=Quarantine %=50 | April 2, 2024 |
| P=Quarantine %=75 | May 14, 2024 |
| P=Quarantine %=100 |
June 11, 2024 |
| P=Quarantine %=100 | July 2, 2024 |
| P=Reject | October 1, 2024 |
|
Approved / Verified Senders |
Unapproved / Unverified Senders |
| Office 365 via web browser desktop app and mobile app | Third-party email services that are not setup with DMARC
|
| Listserv | Non-University of Iowa email accounts that send as a University of Iowa @uiowa.edu address
|
| Massmail | Third-party email scripts/servers that don't send email using on-campus mail services |
| Dispatch |
NOTE: As a policy, we do not allow blanket authorization for an IP or an email sender. If we did, anyone sending from that address or vendor (e.g., Constant Contact, Mailchimp, etc) could send email as a university address and it would pass through our spam filters. This can lead to spoofed email and phishing messages being sent from what looks like a valid university address.
- DMARC business case (OneIT Intranet login required)
- DMARC.org website for overview and additional information (For DMARC, you need to enable SPF or DKIM, preferably both)
- Understanding SPF: What is SPF? (Sender Policy Framework)
- Understanding DKIM: What is DKIM? (DomainKeys Identified Mail)