About DMARC
Why did CU Boulder change its DMARC policy?
Email authentication is used to help identify and block phishing and spoofing attempts. CU Boulder uses an authentication policy called domain-based message authentication, reporting and conformance (DMARC), which tells email servers how to handle messages that claim to be from a specific sender, like CU Boulder, but that didn't originate from a sender-authorized account.
Not having a DMARC policy negatively affected CU Boulder's domain reputation, increasing the likelihood that our emails would be flagged as spam or rejected outright. Faculty, staff and students reported failures related to CU Boulder's DMARC setting that interfered with researchers' ability to communicate with government agencies, HR's ability to conduct reference checks and send offer letters, and students' ability to message their family and friends.
These failures occurred because government agencies, peer institutions and large email providers had tightened their security on incoming email. Specifically, they implemented stricter enforcement of email sender authentication and were flagging or rejecting messages sent from domains without an active DMARC policy.
How does a DMARC quarantine policy benefit campus?
Changing CU Boulder's DMARC policy from none to quarantine improved CU Boulder's email reputation and closed a security gap that was used to spoof our email domains.
Now email servers are better able to identify spoofing or phishing attacks that use CU Boulder email addresses, our security policies are better aligned with other CU campuses and our fellow R1 institutions, and fewer legitimate colorado.edu emails are being quarantined or rejected.
To learn more, view our Email Authentication & Anti-Spoofing page (login required).
Campus email senders
I send a lot of email through Outlook and other CU Boulder-provided systems. Do I have to change anything to comply with DMARC?
As long as you're using a CU Boulder-provided platform (e.g., Microsoft Outlook, Canvas, Oracle CommGen, eComm's Marketing Cloud instance; view the full list), your sends should already be properly authenticated, so DMARC shouldn't affect your current practices.
I prefer the email service I use now, but it isn't on your approved technology platforms list. Will I need to switch?
Our goal for this initiative was to make sure that all messaging and workflow platforms currently in use on campus meet our security standards. However, senders who aren't using an approved technology platform as outlined in CU Boulder's eCommunications policy (section IV.2.1.) can expect to receive a follow-up communication with next steps to either document an exception or facilitate adoption of an approved platform.
What steps has OIT taken to ensure that campus senders are properly authenticated?
Before OIT changed the campus DMARC policy to quarantine in November 2024, they spent months reviewing email logs and contacting campus senders to help them adopt proper authentication.
In a few cases, OIT was unable to identify the address owners and/or third-party platforms being used to send the messages. Some community members also send very rarely, making it difficult to identify them. In the case of external listservs, the senders fell outside of CU Boulder's sphere of influence.
OIT will continue to monitor email authentication reports and reach out to newly identified senders as needed. Ultimately, it is the sender's responsibility to comply with CU Boulder's eCommunications policy and ensure that the messaging or workflow platform they're using adheres to authentication standards.
How will I know if emails I send are getting quarantined?
OIT will continue to proactively monitor email logs and assist legitimate colorado.edu senders whose messages are being quarantined.
Why aren't my listserv emails going through?
CU senders replying to external listservs may fail DMARC if the listserv isn't properly configured. External listservs are out of CU's control; therefore, users should reach out to the list owner to address the configuration errors.
I'm missing a DocuSign email. Was it blocked because of DMARC?
No. Occasionally, legitimate DocuSign messages are quarantined due to specific practices employed by DocuSign in their email handling, which is not related to DMARC. If you believe you're missing a DocuSign message, please log in to Microsoft Defender Quarantine and review your quarantined emails.
Campus email recipients
Why was a legitimate message from CU Boulder sent to quarantine?
In most cases, your CU Boulder account will only quarantine messages in which the sender is spoofing a CU Boulder email address. If a legitimate CU Boulder email has been quarantined, it's likely because the service owner hasn't properly configured their third-party mailing service to comply with authentication standards.
If you notice that legitimate CU Boulder messages are being quarantined, we encourage you to reach out to the sender and share our Email Authentication - Help page for next steps. OIT will continue to proactively monitor email logs and assist legitimate colorado.edu senders whose messages are being quarantined.
Are emails that I want to receive being quarantined by DMARC?
The campus's DMARC policy tells receiving email servers how to handle messages that claim to be from CU Boulder but that aren't properly authenticated.
Legitimate emails may not reach your inbox if:
- The sender's email service isn't properly configured to comply with their organization's DMARC or other authentication standards.
- The email was sent through an external listserv that isn't properly configured (see the listserv question above).
Ultimately, it is the sender's responsibility to comply with CU Boulder's eCommunications policy and ensure that the messaging or workflow platform they're using adheres to authentication standards.
We encourage you to inform the sender of the issue and send them a link to OIT's Email Authentication - Help page for next steps.
