Skip to main content

Email Security and Filtering

OIT regularly processes more than 3 million incoming email messages per day and uses a multi-layered email security solution to prevent malicious messages from reaching the inboxes of CU Boulder accounts.

External Email Tagging

External email tags enhance user awareness regarding the origin of incoming emails. Users can easily recognize emails from external sources, which is valuable for security awareness and helps prevent falling victim to phishing or impersonation attempts.

External Email Tags

OIT inserts “[External Email - Use caution]” into the body of messages originating from external servers.


If your department uses a third-party sender such as MailChimp, Constant Contact or a workflow vendor, you may contact OIT to request the removal of the external tag from messages sent with these clients.  

Before requesting an exemption, please read the following guidelines:

  1. Senders must adhere with the University's eCommunications policy, including authentication practices. 
  2. The send as domain must either be a centrally managed University owned domain, or a CU-specific subdomain of a contracted vendor. 
  3. Personal email addresses will not be exempted. 
  4. Addresses from peer institutions or research partners will not be exempted.

Complete the External Email Tag Exception Request form to request an exemption, and visit the External Email Tagging FAQ for additional details.


Anti-phishing filtering combines various techniques to identify and block phishing emails. It operates in real-time, integrates with sender authentication mechanisms, and provides administrators with the tools to customize policies and monitor the effectiveness of the anti-phishing protection.

  • Phishing Detection Techniques: Advanced techniques are used to detect and filter out phishing emails. This includes analyzing email content, sender information, and other characteristics associated with phishing attempts.
  • Real-Time Filtering: The anti-phishing filtering operates in real-time, scanning both inbound and outbound emails to identify and block phishing messages before they reach the intended recipients.
  • Link Analysis: Link analysis is used to assess the safety of URLs within emails. This helps identify and block phishing links that may lead to fraudulent websites designed to trick users into revealing sensitive information.
  • Sender Authentication: The authenticity of email senders is checked using techniques such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). This helps prevent phishing attempts that involve spoofed or forged sender addresses.
  • User Education: CU may employ features to educate users about potential phishing threats. This can involve warning messages or indicators within the email client to help users recognize and avoid interacting with phishing emails.
  • Time-of-Receipt Protection: Anti-phishing protection operates at the time of email receipt, preventing phishing emails from reaching users' inboxes. This proactive approach helps block phishing attempts before users have a chance to interact with malicious content.


Anti-spam filtering combines multiple techniques to identify and block unwanted and potentially harmful spam emails. It provides administrators with the flexibility to customize filtering policies while offering users the ability to manage safe and blocked sender lists for a more personalized experience.

  • Spam Detection Techniques: A variety of spam detection techniques are used, including content analysis, sender reputation checks, and behavioral analysis, to identify and filter out spam emails.
  • Real-Time Filtering: The anti-spam filtering operates in real-time, scanning both inbound and outbound emails to identify and block spam messages before they reach the intended recipients.
  • Sender Reputation: The reputation of email senders is assessed to determine the likelihood of their emails being spam. Sender reputation is an important factor in the overall spam filtering process.
  • Quarantine Management: Detected spam emails are often quarantined to prevent them from reaching users' inboxes. Users have the ability to review quarantined items to take appropriate actions.
  • Safe Sender and Block Sender Lists: Users are able to maintain lists of safe senders and blocked senders. This helps in fine-tuning the spam filtering process to match the user’s preferences.
  • International Spam Filtering: Spam emails that may be specific to certain languages or regions can be filtered. This enhances the effectiveness of spam filtering for a diverse user base.


Anti-malware filtering is a critical component of the email security suite, offering real-time protection against a wide range of malware threats. It combines multiple detection techniques to provide the campus with a robust defense against evolving malware risks.

  • Real-Time Malware Protection: Real-time scanning of inbound and outbound emails for malware, using multiple antivirus engines and heuristics to detect and block malicious content as it enters or leaves the organization's email system.
  • Multiple Antivirus Engines: A multi-engine approach is utilized, employing several antivirus engines to enhance the detection capabilities. This ensures a higher likelihood of identifying and blocking a wide range of malware threats.
  • Automatic Signature Updates: The antivirus engines used are regularly updated with the latest malware signatures. This automatic updating ensures that the system is equipped to detect and block newly emerging malware threats.
  • Behavioral Analysis: Behavioral analysis techniques may be used to assess the behavior of potential malware. By analyzing the actions of files or attachments in a virtual environment, it can identify suspicious behavior indicative of malware.
  • Time-of-Receipt Protection: Anti-malware protection operates at the time of email receipt, preventing malicious content from reaching users' inboxes. This dynamic approach considers the characteristics and behavior of files rather than relying solely on known signatures.
  • Automatic Quarantine: Detected malware is often automatically quarantined to prevent it from reaching end-users. Administrators can manage and review quarantined items to take appropriate actions.
  • Blocked File Types:
    • Executable Files: Files with extensions like .exe, .dll, .bat, and other executable formats are often blocked by default to prevent the spread of malicious software.
    • Script Files: Files with script extensions such as .js, .vbs, .ps1, and others may be blocked to prevent the execution of potentially harmful scripts.
    • Macro-Enabled Files: Documents that contain macros, such as Microsoft Office files with extensions like .docm, .xlsm, and .pptm, may be blocked due to the potential for macro-based threats.
    • Compressed Archives: Archive files containing executable or script files, such as .zip, .rar, and others, may be blocked to prevent the distribution of malware in compressed form.

Safe Links

Safe Links is a security feature that focuses on preventing users from accessing malicious links in emails. By dynamically analyzing URLs in real-time and providing transparent protection, it adds an additional layer of defense against phishing attacks and other web-based threats.

  • Real-Time Link Scanning: Safe Links provides real-time scanning of URLs (web links) within emails. This scanning occurs when a user clicks on a link in an email, and it helps identify and block malicious links that may lead to phishing sites or other security threats.
  • Dynamic URL Analysis: Safe Links uses dynamic analysis techniques to assess the safety of URLs. It evaluates the link's destination in real-time, considering factors such as the website's reputation and the presence of malicious content.
  • Time-of-Click Protection: Safe Links doesn't just rely on pre-defined blocklists; it provides protection at the time of the user's click. This dynamic approach ensures that even if a link was initially deemed safe but later becomes a threat, it can still be blocked.
  • User Transparency: When users click on a link, Safe Links may transparently redirect the user through Microsoft's servers for additional security checks. Users are generally not aware of this process, and it helps ensure that the destination is safe.

Safe Attachments

Safe Attachments is a security feature that focuses on scanning and analyzing email attachments in real-time to protect users from potential malware and other security threats. It uses dynamic analysis techniques and integrates with threat intelligence for comprehensive protection against evolving email-based threats.

  • Attachment Scanning: Safe Attachments provides real-time scanning of email attachments for malware and other malicious content. This scanning occurs when an email with an attachment is received, and it helps identify and block potentially harmful files.
  • Dynamic Analysis: Safe Attachments uses dynamic analysis techniques to assess the behavior of attachments in a virtualized environment. This allows it to detect new and evolving threats by observing how attachments behave when executed.
  • Time-of-Receipt Protection: Safe Attachments protects users at the time of email receipt. It doesn't solely rely on known malware signatures but evaluates the behavior and characteristics of attachments to determine their safety.
  • Automatic Detonation: Potentially harmful attachments are automatically "detonated" in a virtual environment to observe their behavior. If an attachment is identified as malicious, it can be blocked to prevent it from reaching the recipient's inbox.
  • User Transparency: Users typically interact with Safe Attachments without being aware of it. If an attachment is deemed safe, it is delivered to the user's inbox; if it's potentially malicious, the attachment may be removed, and the user is notified.

Abnormal Security - Advanced Threat Detection

  • Behavioral Analysis: Machine learning is leveraged to understand normal email communication patterns within the organization, allowing for the detection of anomalies that could indicate phishing, CEO fraud, or other sophisticated attacks that might bypass Microsoft Defender.
  • Machine Learning Powered Insights: Abnormal leverages machine learning to analyze email content, context, and metadata to identify advanced threats. Understanding the intent behind email messages assists in detecting social engineering attacks.
  • Account Takeover Protection: Monitoring of user behavior and login patterns to detect account takeover attempts, reducing unauthorized access to email and other CU systems.
  • Compromised Account Detection: Identifies compromised accounts by monitoring for unusual activities such as changes in email forwarding rules, unusual email sending patterns, and other indicators of account compromise.