Email Authentication - FAQ

Email authentication is used to help identify and block phishing and spoofing attempts. CU Boulder uses an authentication policy called domain-based message authentication, reporting and conformance (DMARC), which tells email servers how to handle messages that claim to be from a specific sender, like CU Boulder, but that didn't originate from a sender-authorized account.

Not having a DMARC policy negatively affected CU Boulder's domain reputation, increasing the likelihood that our emails would be flagged as spam or rejected outright. Faculty, staff and students reported failures related to CU Boulder's DMARC setting that interfered with researchers' ability to communicate with government agencies, HR's ability to conduct reference checks and send offer letters, and students' ability to message their family and friends.

These failures occurred because government agencies, peer institutions and large email providers had tightened their security on incoming email. Specifically, they implemented stricter enforcement of email sender authentication and were flagging or rejecting messages sent from domains without an active DMARC policy.

Having an active DMARC policy allows email servers to better identify spoofing or phishing attacks that use CU Boulder email addresses, it better aligns CU Boulder's email security policies with other CU campuses and our fellow R1 institutions, and it lowers the likelihood that legitimate colorado.edu emails will be quarantined or rejected by recipients' email servers.

• Changing CU Boulder's DMARC policy from none to quarantine immediately improved CU Boulder's email reputation and closed a security gap that was used to spoof our email domains.
• Increasing the policy from quarantine to reject further improves CU Boulder's email reputation, protects recipients from phishing by directing their email provider to reject unauthenticated emails claiming to be from CU Boulder, and helps campus senders identify authentication issues with their own outgoing messages.

To learn more, view our Email Authentication & Anti-Spoofing page (login required).

As long as you're using a CU Boulder-provided platform (e.g., Microsoft Outlook, Canvas, Oracle CommGen, eComm's Marketing Cloud instance; view the full list), your sends should already be properly authenticated, so DMARC shouldn't affect your current practices.

Our goal for this initiative was to make sure that all messaging and workflow platforms currently in use on campus meet our security standards. However, senders who aren't using an approved technology platform as outlined in CU Boulder's eCommunications policy (section IV.2.1.) can expect to receive a follow-up communication with next steps to either document an exception or facilitate adoption of an approved platform.

Before OIT changed the campus DMARC policy to quarantine in November 2024, they spent months reviewing email logs and contacting campus senders to help them adopt proper authentication.

In a few cases, OIT was unable to identify the address owners and/or third-party platforms being used to send the messages. Some community members also send very rarely, making it difficult to identify them. In the case of external listservs, the senders fell outside of CU Boulder's sphere of influence.

Ultimately, it is the sender's responsibility to comply with CU Boulder's eCommunications policy and ensure that the messaging or workflow platform they're using adheres to authentication standards.

Most email service providers will send a rejection notification to the email's reply-to address or, if none is specified, the email's "from" address. If you start receiving rejection notifications, refer to Email Authentication - Help for next steps.

CU senders replying to external listservs may fail DMARC if the listserv isn't properly configured. External listservs are out of CU's control; therefore, users should reach out to the list owner to address the configuration errors.

No. Occasionally, legitimate DocuSign messages are quarantined due to specific practices employed by DocuSign in their email handling, which is not related to DMARC. If you believe you're missing a DocuSign message, please log in to Microsoft Defender Quarantine and review your quarantined emails.

If a legitimate CU Boulder email has been rejected, it's likely because the service owner hasn't properly configured their third-party mailing service to comply with authentication standards.

If you notice that you've stopped receiving messages from a specific CU Boulder sender, we encourage you to reach out to them and share our Email Authentication - Help page for next steps. OIT will continue to monitor email logs and assist campus senders whose messages are being rejected.

CU Boulder's DMARC policy tells receiving email servers how to handle messages that claim to be from our own institution but aren't properly authenticated. It does not affect the deliverability of emails from external senders.

Legitimate emails from non-CU Boulder senders may not reach your inbox if:

• The sender's email service isn't properly configured to comply with their own organization's DMARC or other authentication standards.
• The email was sent through an external listserv that isn't properly configured (see the listserv question above).

If you notice that you've stopped receiving messages from a specific external sender, we encourage you to reach out to them and share our Email Authentication - Help page for next steps.