Email Security - DMARC
As part of an ongoing effort to combat phishing scams and increase email security, the Collaboration Services Team is implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. DMARC monitors mass mailing, hosted vendor applications, or mail servers used to send mail as the University (e.g. vcu.edu).
DMARC is an email authentication, policy, and reporting protocol. It works in two ways:
- It detects unauthorized activity, and provides information about how to handle unauthorized email. For example, the email may be put in the spam folder.
- It identifies legitimate senders, either emails sent by VCU Gmail or VCU Health Office365 or by approved/verified email services.
DMARC uses one of two technologies to verify emails:
- Domain Keys Identified Mail (DKIM)
- Sender Policy Framework (SPF) - supported if you are sending mail as a sub-domain (for example, sending from @navigate.vcu.edu)
The University recommends using DKIM whenever possible but can support either technology.
Currently we are monitoring "spoofed" emails.
September 23, 2024 (delayed from September 3) - We will start marking content that does not meet this DMARC industry standard as Spam. The email will be delivered, but marked as spam and will be put in your Spam folder.
January 2, 2025 - Email not following the DMARC standard will not be delivered.
The rollout will be gradual so that impact to our users is minimized.
Implementing DMARC will not cause your email messages to be delayed. DMARC only affects how your email is "viewed" by the receiver's domain setup.
VCU Gmail Users
Individual VCU Gmail users do not need to do anything. You can continue to use Gmail as you normally would.
VCU School of Medicine Microsoft Users
Individual Microsoft users do not need to do anything. You can continue to use email as you normally would.
VCU Mass Email Senders
If you are using an approved email service (see list below), you do not need to do anything. You can continue to send mass emails as you normally would.
Examples of University-Verified Email Services
- VCU Gmail via web browser, desktop client, or mobile app
- VCU SMTP mail relay service
- VCU Google Groups
- L-Soft Listserv
- L-Soft Listplex Maestro
- Blackbaud
- ExLibris
- Arms
If you are using an unverified email service, you will need to configure your SPF or DKIM settings so that you meet authentication standards and DMARC can route your outgoing mass email to recipients' inboxes. Many areas have already done this. Check your vendor's documentation for instructions. If you need assistance, submit an IT Support Ticket search SPF or DKIM.
Examples of Unverified Email Services
- Third-party email services that are not automatically configured to work with the new DMARC controls
(e.g., Constant Contact, iContact, cloud hosted servers, etc.) - Non-VCU Gmail accounts that send as a vcu.edu address
(e.g., a hotmail.com or gmail.com address set to send as a vcu.edu address)
Test Whether Emails Will be Affected
We have already worked with many VCU departments to resolve this, so no further confirmation is needed if Collaboration Services has already worked with you. Technical staff who would like to test whether emails will be affected can do so by sending a message from a vcu.edu address that originates from a non-University mail server (ie: ConstantContact) to drgee@vcu.edu, where it will be reviewed by Collaboration Services email administrators.
Help me understand SPF
Visit https://dmarcian.com/what-is-spf/ for a great explanation. We'll help you decide whether it is needed.
Tell me more about DKIM
Learn about DKIM at https://dmarcian.com/what-is-dkim/. We'll help you determine if you need it for your email sending.
Why does my VCU Listserv arrive from a different address?
How do I get support or more information?
Contact Doctor Gee or submit an IT Support ticket.