About DMARC
Why did CU Boulder change its DMARC policy?
Domain-based message authentication, reporting and conformance (DMARC) is an email security policy that tells email servers how to handle messages that claim to be from a specific sender, like CU Boulder.
Not having a DMARC policy negatively affected CU Boulder's domain reputation, increasing the likelihood that our emails would be flagged as spam or rejected outright.
Faculty, staff and students reported failures related to CU Boulder's DMARC setting that interfered with researchers' ability to communicate with government agencies, HR's ability to conduct reference checks and send offer letters, and students' ability to message their family and friends.
These failures were occurring because government agencies, peer institutions and large email providers had tightened their security on incoming email. Specifically, they had implemented stricter enforcement of email sender authentication and were flagging or rejecting messages sent from domains without an active DMARC policy.
How does a DMARC quarantine policy benefit campus?
Changing CU Boulder's DMARC policy from none to quarantine improves CU Boulder's email reputation and closes a security gap that has been used to spoof our email domains.
By doing so, fewer colorado.edu emails will be quarantined or rejected, email servers will be better able to identify spoofing or phishing attacks using CU Boulder email addresses, and our security policies will be better aligned with other CU campuses and our fellow R1 institutions.
To learn more, view our Email Authentication & Anti-Spoofing page (login required).
Campus email senders
I send a lot of email through Outlook and other CU Boulder-provided systems. How am I affected by DMARC?
As long as you're using a CU Boulder-provided platform (e.g., Microsoft Outlook, Canvas, Oracle CommGen, eComm's Marketing Cloud instance; view the full list), your sends should already be properly authenticated, so DMARC shouldn't affect your current practices.
I prefer the email service I use now, but it isn't on your approved technology platforms list. Will I need to switch?
For the purposes of this initiative, our goal is to make sure that all platforms currently in use meet our security standards. However, senders who aren't using an approved technology platform as outlined in CU Boulder's eCommunications policy (section IV.2.1.) can expect to receive a follow-up communication with next steps to either document an exception or facilitate adoption of an approved platform.
What steps has OIT taken to ensure that campus senders are properly authenticated?
Before OIT changed the campus DMARC policy to quarantine in November 2024, they spent months reviewing email logs and contacting campus senders to help them adopt proper authentication.
In a few cases, OIT was unable to identify the address owners and/or third-party platforms being used to send the messages. Some community members also send very rarely, making it difficult to identify them. In the case of external listservs, the senders fell outside of CU Boulder's sphere of influence.
OIT will continue to monitor email authentication reports and reach out to newly identified senders as needed. Ultimately, it is the sender's responsibility to comply with CU Boulder's eCommunications policy and ensure that the messaging or workflow platform they're using adheres to authentication standards.
How will I know if the emails I'm sending are getting quarantined?
During the transition period, OIT will continue to monitor email logs and alert colorado.edu senders if their messages are being quarantined.
My listserv emails aren't going through. What's going on?
CU senders replying to external listservs may fail DMARC if the listserv is improperly configured. External listservs are out of CU's control. Users should reach out to the list owner to address the configuration errors.
Campus email recipients
Why are some messages from colorado.edu being sent to quarantine?
In most cases, your CU Boulder account will only quarantine illegitimate messages in which the sender is spoofing a CU Boulder email address.
If a legitimate CU Boulder email has been quarantined, it's likely because the service owner hasn't properly configured their third-party mailing service to comply with authentication standards.
If you notice that legitimate CU Boulder messages are being quarantined, we encourage you to reach out to the sender and share our Email Authentication - Help page for next steps. OIT will continue to proactively monitor email logs and assist legitimate colorado.edu senders whose messages are being quarantined.
Will the DMARC policy end up quarantining more of the emails I want to receive?
CU Boulder's DMARC policy tells receiving mail servers how to handle messages that claim to be from CU Boulder but that fail authentication checks.
While the campus's DMARC policy won't affect whether external emails get to your CU Boulder inbox, it may quarantine:
- Legitimate third-party CU Boulder senders who haven't yet set up authentication.
- External listservs that aren't correctly configured (see the listserv question above).
Ultimately, it is the sender's responsibility to comply with CU Boulder's eCommunications policy and ensure that the messaging or workflow platform they’re using adheres to authentication standards.
