ITS is working with departmental IT staff on implementing protocols to reduce the number of legitimate messages being marked as spam by external email servers and removing the [External] tag on messages sent by university departments using third-party vendors (e.g., Constant Contact, Campaign Monitor, etc.).  Implementing these protocols can help with Inbox placement, brand protection, spoofing protection (both in university email systems and external email systems), and bypassing [External] tagging.

Note:  External to Microsoft 365 email senders with DMARC compliant subdomains should not need exemptions to external tagging.  [External] tagging will not be added if both the following conditions are met:

  1. The sender address is
  2. The Authentication-Results email header has dmarc=pass in it.

There are several protocols that we can implement to verify that messages are legitimate:   

DMARC (Domain-based Message Authentication, Reporting & Conformance) -  For DMARC, you need to enable SPF or DKIM, preferably both.  

SPF (Sender Policy Framework) -

DKIM (DomainKeys Identified Mail)

As a policy, we do not allow blanket authorization for an IP or an email sender. If we did, anyone sending from that address or vendor (e.g., Constant Contact) could send email as a university address and it would pass through our spam filters. This can lead to spoofed email and phishing messages being sent from what looks like a valid university address.

If you have a third-party application you are using to send email from a university address and you want to improve your Inbox placement and not have your messages flagged as [External], please do the following:

  1. Fill out the DMARC Request Form and we will setup a meeting with you to get started. 




Article number: 
Last updated: 
November 22, 2023