Someone typing on laptop with email warning icons superimposed

Improving CU Boulder's email deliverability: Campus DMARC policy reaches full enforcement

Submitted by crei1741 on

CU Boulder's campuswide email authentication policy, which instructs email servers to quarantine messages that claim to be from CU Boulder but that fail authentication checks, has now reached full enforcement.

Since moving to 50% enforcement in late January, OIT has quarantined 31,705 messages that used a spoofed CU Boulder email address to target our community.

What it is

Email authentication is used to help identify and block phishing and spoofing attempts. CU Boulder uses an authentication policy called domain-based message authentication, reporting and conformance (DMARC), which tells email servers how to handle messages that claim to be from a specific sender, like CU Boulder, but that didn't originate from a sender-authorized account.

To learn more about email authentication, visit OIT's Email Authentication & Anti-Spoofing page (login required).

How we reached full enforcement

In 2024, OIT reached out to campus senders who were responsible for about 99% of official campus messaging to help them meet authentication standards. In early November, OIT enabled the DMARC quarantine policy and set it to 10% enforcement. This setting directed email servers to quarantine only about one in 10 unauthenticated messages claiming to be from CU Boulder.

After several weeks of monitoring authentication reports and contacting newly identified senders, OIT increased the policy's enforcement to 25% in early December, 50% in late January and now 100% in early March.

OIT will continue to monitor email authentication reports and reach out to unauthenticated campus senders as needed.

What to do if a legitimate email is quarantined

Legitimate emails may be flagged as spam or sent to quarantine when:

  • The sender hasn't configured their third-party mailing service to comply with authentication standards.
  • The message was sent through an external listserv that isn't configured properly.

If you find that a legitimate email from CU Boulder has been quarantined, we recommend that you:

  1. Release the message to your inbox.
  2. Add the sender to your Safe Senders list.
  3. Tell the sender their message was quarantined so they can check their authentication status.

Resources & Support

Visit OIT's Email Authentication - Help and Email Authentication - FAQ pages to learn more. If you have additional questions or concerns, please contact the IT Service Center at oithelp@colorado.edu or 303-735-4357.