To improve CU Boulder's email reputation and close a security gap used to spoof our email domains, OIT will soon enable a campuswide email policy that will direct email servers to quarantine messages that claim to be from CU Boulder but that fail authentication checks.
Why we're doing this now
Domain-based message authentication, reporting and conformance (DMARC) is an email security policy that tells email servers how to handle messages that claim to be from a specific sender, like CU Boulder.
Not having a DMARC policy negatively affects CU Boulder's domain reputation, increasing the likelihood that our emails will be flagged as spam or rejected. Faculty, staff and students have reported failures related to CU Boulder's current DMARC setting (login required) that have interfered with researchers' ability to communicate with government agencies, HR's ability to conduct reference checks and send offer letters, and students' ability to message their family and friends.
These failures are occurring because government agencies, peer institutions and large email providers have tightened their security on incoming email. Specifically, they are implementing stricter enforcement of email sender authentication and flagging or rejecting messages from domains without an active DMARC policy.
How we're implementing the change
Starting Tuesday, Nov. 5, OIT will begin gradual enforcement of a DMARC policy that will instruct receiving servers to quarantine messages that fail authentication. OIT will initially limit enforcement to 10%, directing email servers to quarantine only about one in 10 unauthenticated messages that claim to be from CU Boulder.
OIT will gradually increase the campus's DMARC percentage over time, reaching full DMARC quarantine enforcement in early 2025.
Who will be affected
For the vast majority of campus senders, this change will be invisible, and they won't need to take any action. This includes users who:
- Send individual emails, such as from their CU Boulder-provided email account
- Send bulk emails from CU Boulder's most-used approved technology platforms, such as eComm's Marketing Cloud instance, Canvas, Qualtrics, Slate and Cvent (view the authenticated channels list)
Senders who may be affected are those who use a messaging or workflow platform that's not supported by CU Boulder (e.g., Mailchimp, Constant Contact, InfoEd, Flywire).
Over the last few months, OIT has been contacting these senders and helping them adopt proper authentication. While nearly all identified senders now pass authentication, OIT expects that a small number of legitimate senders have yet to be identified.
OIT will continue to monitor email authentication reports and reach out to newly identified senders as needed.
What you may notice
While the campus DMARC policy won't affect delivery of external emails to your CU Boulder inbox, you may find the following types of email being flagged as spam or sent to quarantine:
- Messages from legitimate CU Boulder senders who haven't properly configured their third-party mailing service to comply with authentication standards
- Email from external listservs that aren't configured correctly
Ultimately, it is the sender's responsibility to comply with the campus eCommunications policy and ensure that the messaging or workflow platform they're using adheres to authentication standards. However, we encourage you to inform the sender of the delivery issue and send them a link to OIT's Email Authentication - Help page for next steps.
Learn more
You can learn more about email authentication and how the DMARC quarantine policy could affect you on these pages:
- Email Authentication & Anti-Spoofing (login required)
- Email Authentication - FAQ
- Email Authentication - Help
If you have additional questions or concerns, please contact the IT Service Center at oithelp@colorado.edu or 303-735-4357.
