DMARC, Arizona.edu, and You

The University is implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) on its email system this spring. When fully implemented, this will prevent spammers and phishers from using the arizona.edu domain.

DMARC is an increasingly popular security measure with institutions, particularly the federal government. Most are still in “monitoring” mode, meaning that they are watching what activity is happening with their email. However, some government agencies are now taking action to have suspicious emails quarantined or deleted.

Why Implement DMARC at Arizona?

A main spam or phishing email tool is spoofing—using a forged sender address.

For example, you don’t want to get an email that says it’s from the National Science Foundation, and find out too late that it was a phishing email with a link to a site that infected your machine.

Likewise, we don’t want phishing email going out that says it’s from arizona.edu.

“It’s terrible for our reputation,” says Adam Borders, a systems administrator, principal on the UITS Microsoft Technologies team. By “reputation,” Borders is specifically referring to how other email services respond to our email.

Borders explains that when Gmail, Yahoo!, and other email services find a lot of spam or phishing coming in with arizona.edu addresses, they are more likely to flag any arizona.edu email as spam. Outside email services have even quarantined all email from Arizona in the past.

Without DMARC, there is no way to improve the University’s reputation score into the higher levels of trustworthiness. This means the emails you send could be delayed or blocked during a big Arizona.edu spam spree.

DMARC for Incoming Mail

The University of Arizona email system is already following DMARC rules to check incoming email. We monitor, quarantine, or drop incoming emails that aren’t authenticated (i.e., verified), depending on the rules set by the organization named in the From address.

For example, when the National Science Foundation sends you an email about your grant, our system uses NSF’s DMARC rules to authenticate that the From address matches the NSF record. According to their rules, phishing emails that pretend to come from nsf.gov are dropped before they get to your Inbox.

This can have some unintended consequences if you forward your email.

DMARC and You

Incoming Email

Sometimes forwarded email that is legitimate can get quarantined or dropped. Depending on how the forward is set up, the From field might appear to an email system as if the message is coming from a spoofer.

If you forward all your University email to another service, you might never see messages from institutions like NSF in that other mailbox. If you have selected to save a copy, the messages will still be in your campus mailbox.

Based on best information security practices, more institutions are implementing DMARC. Some best practices for you are:

• Do not forward your email.
• Use email software and mobile device apps. Set up all your various emails where you can easily check each of them directly in one location.

Your Outgoing Email from Arizona.edu

When DMARC is implemented for arizona.edu, the University will begin a monitoring phase, and there will be no impact on your email.

Eventually, this will change to an active mode, so that email that isn’t authenticated as arizona.edu gets quarantined or dropped.

When that happens, your recipients might run into the same issue of missing email, if they have a forward configuration that DMARC doesn’t recognize. At that time, if you do not receive a response from someone you have emailed, you will want to check with them that they received your email.

“Implementing DMARC is an important step in improving the University’s security,” says Lanita Colette, chief information security officer and deputy chief information officer for the University.

Find more information about the DMARC implementation at the Email Projects page.