Reflections on University Email Security - Part 2

Today
Mary Veres, Communications/Marketing
Email Story

Be sure to attend the special webinar on Email Security Updates and Best Practices on Thursday, Dec. 5, at 12:00 p.m.

The evolution of email continues to be a journey to maintain current technology standards and protect students, faculty, researchers, and staff against evolving threats. This story continues that journey, which was first published in Part 1: Reflections on University Email Security on Nov. 20.

A look back 

Many universities across the country have been strengthening their safeguards against spam and phishing emails for years.  Adam Brokamp, IT Manager, Collaborative Technologies, explains, “Our previous security appliance was often rejecting email without notifying the end user.” Not only was the quarantined email unavailable for them to review, but there was also no way to retrieve it. Frustrated email users would receive confirmation from the sender that the email was sent, but it failed to appear in their inbox. 

Email Authentication Protocols

In answer to the growing malicious activities centered on email user vulnerabilities, PayPal, Google, Microsoft and Yahoo platforms developed a system by which institutions could enhance security. The resulting Domain-based Message Authentication, Reporting & Conformance (DMARC) specification was made public in 2010, and in 2023, the two largest providers, Google and Yahoo announced that bulk senders would be required to adhere to the DMARC criterion beginning in February 2024. 

The university’s new spam filter allows people to review quarantined emails. Brokamp adds, “The university’s previous spam filter was most definitely doing the same thing. It was just not visible to the user and did not give them the choice to receive the email or not.”

Identifying External Email to University Recipients

Some of the past steps taken to strengthen email system security have been in response to emerging threats. For example, emails not affiliated with the university were being configured to appear as if they were being sent from a university account. Students and staff were being fooled by these emails, often appearing to be from the name of a trusted source. Logan Keating, Lead Office 365 Administrator, explained that the External Banner Notification was implemented in March 2020 to help prevent phishing impersonation attempts. “We want our users to be able to easily recognize when an email is coming from an external source and not originating from within the university.” As a result, [EXT] was added to the subject line in all emails coming from outside the university system and “External Email” was inserted into the top of the email body with red letters.  

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect against email spoofing and impersonation fraud. It lets your organization tell receiving mail servers what to do when they receive a message that doesn't pass two primary email authentication checks: SPF and DKIM.

SPF (Sender Policy Framework) ensures that the sending mail server is authorized by the domain's DNS records to send emails on behalf of that domain. (a transaction manager) In simpler terms, SPF checks our domain’s IP record to verify the sending email IP address is coming from a server authorized to send mail from the @arizona.edu domain. 

DKIM (DomainKeys Identified Mail) verifies that the email was sent by an authorized sender as referenced in the domain DNS record and the content has not been altered during transmission.

Being Proactive by Moving into the Future

Many companies and organizations around the world are moving forward with implementing DMARC to adhere to industry standards. Although a deeply technical subject, there are several DMARC functions involved in securing email, which include:

  1. In general, a DMARC policy requires emails sent by an individual to comply with SPF and DKIM authentication. One of those must pass. If neither passes, the DMARC record instructs the recipient mail system on the preferred action for handling email. 
  2. Let’s look at an example from the reverse perspective. if a .gov server receives an email from a yahoo.com server with an apparent address from @arizona.edu, the .gov server looks at our DMARC record to determine what @arizona.edu wants them to do with this email. If it fails, the .gov server knows this is not a trustworthy email. It is most likely an impersonation of @arizona.edu, and the DMARC record says we do not want it delivered to the intended .gov recipient. The intended recipient does not get the email. The .gov server is taking that action.

Because these standards already exist, many agencies, such as the .mil and .gov institutions, refuse to accept emails from domains without a DMARC record set. This is a huge shift in the industry, and it is why all university emails must adhere to this standard. Google and Yahoo require DMARC records at the .com level. In the near future, this heightened security protocol will affect every vendor the university works with. 

Forwarding Email Fails the Test

The email team is beginning to get concerns from university email users who forward their university email to another mailbox like Gmail or Yahoo. Keating explained, “When an email from third parties like Best Buy or Ticketmaster comes to a university email account and is forwarded to a Gmail account, Gmail quarantines the email. It fails SPF because it originated from Best Buy but now says it’s coming from @arizona.edu. And because the Best Buy email comes to the university as an external sender, the External Banner is added, which fails DKIM. Thus, Gmail will not allow the forwarded email to be delivered to your Gmail account. 

Securing the email system in this way prevents our institution from being impersonated and prevents nefarious activities from occurring if an email with your_name@arizona.edu on it is used against another person or institution. 

This new email security specification is a complex topic that is not easily understood at first glance. The University’s email administration staff will present a special webinar on Email Security Updates and Best Practices on Thursday, Dec. 5, at 12:00 p.m. The agenda is designed to help general email users understand the new industry requirements and how the university is adapting to meet them. Register to attend this webinar.

24/7 Chat Now