Technology
DMARC
Last modified 3/8/2023
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that provides a way for email receivers to check that incoming messages are legitimate and have not been forged or altered. The reject policy means that any incoming emails that do not pass DMARC authentication will be rejected and not delivered to the recipient’s inbox. When this happens, an email will be generated and sent to the sending email address to inform the sender that their email was not delivered.
DMARC provides a layer of security for our email communications and protects against phishing and other malicious attacks. DMARC implementation may result in some legitimate emails being marked as spam or rejected. Unified Communications has taken steps to minimize any potential impact this may cause. More information on what users and system admins can do to prepare for DMARC can be found in a later section.
Illinois State's Implementation of DMARC
We have been monitoring email traffic in addition to working with various groups across the campus to ensure that emails being sent by their applications are DMARC compliant. If your group uses a third-party application to send email using either ilstu.edu or illinoisstate.edu and you have not worked with the Unified Communications team to ensure that DMARC has been configured for your application, please reach out to SupportCenter@illinoisstate.edu. If you want more information about what users and admins can do to prepare for this, please refer to the Actions section.
How DMARC Works
DMARC works in the following two ways:
- DMARC detects unauthorized activity and provides information about how to handle unauthorized email. Example: Unauthorized email may be put in the spam folder.
- It identifies legitimate senders. Example: Emails sent by ILSTU Outlook or by approved/verified email services are put in the inbox.
DMARC uses these two technologies to verify emails:
- DomainKeys Identified Mail (DKIM)
With DomainKeys Identified Mail (DKIM), a domain will provide a cryptographic signature in the email message that it sends. That signature can be verified via a Domain Name System (DNS) record containing the public key. The DKIM signature contains both a domain identifier for the hosted public key record to query from DNS, and the selector to uniquely identify the email messages signed. This DKIM signature is added to the email headers of signed email messages.
A domain may publish multiple DKIM keys and have multiple selectors. This permits the domain to configure multiple keys to distinguish and manage sending from different accounts and email servers. An email server receiving a signed email message will query the public DNS record according to the DKIM signature to verify that the domain from which it is intended to have been sent matches the signature.
- Sender Policy Framework (SPF)
Sender Policy Framework (SPF) allows a domain to define which mail systems are permitted to send emails on its behalf. SPF records may contain the mail system IP addresses of its domain as well as those of its partner domains that are trusted to send emails. (Example of trusted partner domains: a vendor-managed email system or a constituent relationship management (CRM) service.)
The SPF record is published in the domain’s DNS records. An email server will query the SPF record from the domain’s DNS records when it receives an email with a sending address from that domain. A match authenticates the message as having originated from a trusted sources on behalf of the sending domain.
Tip
The University recommends using DKIM whenever possible, but can support either DKIM or SPF.
Actions
- Forwarding and Redirecting
- Where possible, do not automatically forward emails from your University mailbox and instead use the manual forwarding option for each email.
- If you are using a redirect inbox rule, switch to using the forward inbox rule as redirecting emails is no longer supported.
- Third-Party Email Service Providers Sending on Behalf of the University
- Review email headers of the emails that were sent from the vendor's service.
- Reach out to the vendor and inquire about DMARC capabilities.
- Obtain a copy of the email sent by the vendor and contact Technology Support Center.
- Using Different Email Application
- No additional actions are necessary if you are using a different email application such as Thunderbird or Apple Mail.
- You still authenticate yourself when you set up these applications, so they should not impact DMARC
- Follow all regular actions and suggestions with DMARC as you would in Outlook
Examples of Third-party Email Service Providers That Have Been Made DMARC Compliant
Note: There may be more options that have been made compliant with DMARC, but just may not be listed here.
- Technolutions/Slate
- Emma
- TouchNet
- Qualtrics
- PostMarkApp
- Paciolan
- Ungerboeck
- ExLibris (now part of ProQuest)
- Terra Dotta Software
- SparkPost
- Dyn
How to Get Help
For technical assistance, you may Submit a Help Ticket, or contact the Technology Support Center at (309) 438-4357, or by email at SupportCenter@IllinoisState.edu.