Home
Security & Privacy
Email Security - DMARC

Email Security - DMARC

As part of an ongoing effort to combat phishing scams and increase email security, the Collaboration Services Team is implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. DMARC monitors mass mailing, hosted vendor applications, or mail servers used to send mail as the University (e.g. vcu.edu).

How DMARC Works

DMARC is an email authentication, policy, and reporting protocol. It works in two ways:

It detects unauthorized activity, and provides information about how to handle unauthorized email. For example, the email may be put in the spam folder.
It identifies legitimate senders, either emails sent by VCU Gmail or VCU Health Office365 or by approved/verified email services.

DMARC uses one of two technologies to verify emails:

Domain Keys Identified Mail (DKIM)
Sender Policy Framework (SPF) - supported if you are sending mail as a sub-domain (for example, sending from @navigate.vcu.edu)

The University recommends using DKIM whenever possible but can support either technology.

VCU Implementation of DMARC

We began monitoring a dashboard in January, 2024, to identify third party senders that needed remediation. We reached out to individuals, departments, schools, and worked together to bring their email into compliance.

September 23, 2024 (delayed from September 3) - We began moving content that does not meet this DMARC industry standard into a monitored quarantine. External to VCU, if email was sent from a vcu.edu address that was not authenticated, it may have been quarantined or delivered to spam labels, depending on how the receiver honors the DMARC policy.

VCU is currently moving 50% of email that is not authenticated to quarantine. We are slowly advancing this amount.

January 2, 2025 - Email not following the DMARC standard will not be delivered.

The rollout will be gradual so that impact to our users is minimized.

Implementing DMARC will not cause your email messages to be delayed. DMARC only affects how your email is "viewed" by the receiver's domain setup.

What Do You Need to Do?

VCU Gmail Users

Individual VCU Gmail users do not need to do anything. You can continue to use Gmail as you normally would.

VCU School of Medicine Microsoft Users

Individual Microsoft users do not need to do anything. You can continue to use email as you normally would.

VCU Mass Email Senders

If you are using an approved email service (see list below), you do not need to do anything. You can continue to send mass emails as you normally would.

Examples of University-Verified Email Services

VCU Gmail via web browser, desktop client, or mobile app
VCU SMTP mail relay service
VCU Google Groups
L-Soft Listserv
L-Soft Listplex Maestro
Blackbaud
ExLibris
Arms

If you are using an unverified email service, you will need to configure your SPF or DKIM settings so that you meet authentication standards and DMARC can route your outgoing mass email to recipients' inboxes. Many areas have already done this. Check your vendor's documentation for instructions. If you need assistance, submit an IT Support Ticket search SPF or DKIM.

Examples of Unverified Email Services

Third-party email services that are not automatically configured to work with the new DMARC controls
(e.g., Constant Contact, iContact, cloud hosted servers, etc.)
Non-VCU Gmail accounts that send as a vcu.edu address
(e.g., a hotmail.com or gmail.com address set to send as a vcu.edu address)

Test Whether Emails Will be Affected

We have already worked with many VCU departments to resolve this, so no further confirmation is needed if Collaboration Services has already worked with you. Technical staff who would like to test whether emails will be affected can do so by sending a message from a vcu.edu address that originates from a non-University mail server (ie: ConstantContact) to drgee@vcu.edu, where it will be reviewed by Collaboration Services email administrators.

FAQ

Help me understand SPF

Visit https://dmarcian.com/what-is-spf/ for a great explanation. We'll help you decide whether it is needed.

Tell me more about DKIM

Learn about DKIM at https://dmarcian.com/what-is-dkim/. We'll help you determine if you need it for your email sending.

Why does my VCU Listserv arrive from a different address?

This is how Listserv manages email to comply with DMARC standards, meaning VCU (or any domain) will not reject email from Listserv. The reply to field is not changed. The FROM field will contain a series of numbers and letters followed by -dmarc-request@lists.vcu.edu. Here is an example of how it will appear: 00000292962a7223-dmarc-request@lists.vcu.edu.

Why have I stopped receiving email from some external listservs?

Some listservs do not adjust when a DMARC policy is enforced, or some listservs do not change their sending until a DMARC policy is set to reject. VCU has no control over how external listservs honor this security policy. Listserv members may ask the list owner to contact their IT support for further review of their system.

Will my forwarded email still arrive?

DMARC is like a guard that checks if the email actually came from the sender. Forwarded emails can fail DMARC checks because forwarding can change important parts of the email that prove it is genuine. We continue to strive to deliver forwarded emails between VCU accounts and VCU Health accounts; however, if the original sender requires the email to pass DMARC policy, the forwarded email may not be delivered except to the originally intended recipient.

How do I get support or more information?

Contact Doctor Gee or submit an IT Support ticket.

Additional Resources

VCU Email Standard

Computer and Network Resources Use