Email Security at UNCG Using DMARC
As part of an ongoing effort to combat phishing and increase email security, Information Technology Services (ITS) is implementing stronger controls to prevent the illegitimate use of UNCG email addresses. Domain-based Message Authentication, Reporting & Conformance (DMARC) allows email providers to verify that email was sent from a valid UNCG address and not from a phisher/hacker or other unverified source.
ITS began monitoring spoofed emails in January, 2016, following the New Phishing Protections memo from Provost Dana Dunn, Vice Chancellor Charles Maimone, and Vice Chancellor Jim Clotfelter. After reviewing this data ITS is now ready to implement DMARC for the uncg.edu email domain. This implementation will occur in phases over the next several months.
Emails that are not sent by UNCG Gmail or by an approved/verified email service will be affected by these changes.
Examples of unapproved/unverified email services:
- third-party email services that are not configured to work with the new DMARC controls
(e.g., Constant Contact, Bronto, MailChimp, off-campus servers, etc.)
- non-UNCG Gmail accounts that send as a uncg.edu address
(e.g., a hotmail.com or gmail.com address set to send as a uncg.edu address)
- third-party email scripts/servers that don't send email using on-campus mail services such as smtp.uncg.edu and spmfrm.uncg.edu
Examples of approved/verified email services:
- UNCG Gmail via web browser
- UNCG Gmail via desktop app (Thunderbird, Outlook, Apple Mail)
- UNCG Gmail via mobile app (iOS, Android)
- UNCG Google groups
- MaxBulk Mailer
- Google Add-ons for mail-merge functionality ("Yet Another Mail Merge")
- third-party email services that are configured to work with the new DMARC controls (requires ITS coordination)
If you are using an unapproved/unverified email service, you should contact ITS immediately to avoid interruption of email delivery. Through coordination with ITS, it may be possible to continue to use your service. For example, ITS has already worked with several departments who are using third-party bulk email services, so that they will not be affected when the new controls are implemented.
The timeline for full DMARC implementation runs between March and June. During that time, the amount of email that is bounced/rejected from unapproved/unverified services will increase each month:
- March 1, 2017 — Approximately 50% of unapproved/unverified email may be treated as spam.
- April 1, 2017 — Approximately 25% of unapproved/unverified email may be bounced/rejected.
- May 1, 2017 — Approximately 50% of unapproved/unverified email may be bounced/rejected.
- June 1, 2017 — All unapproved/unverified email will be bounced/rejected.
Reference Information for Technical Staff
Technical staff who would like to test whether emails will be affected can do so by following these steps:
- Open an email in Gmail, click the drop-down menu beside the Reply button and click Show original.
- Search for "dmarc="
- If you find a line that begins with "dmarc=pass" and ends with "header.from=uncg.edu" then the email will not be affected by the new controls being implemented.
- If you find a line that begins with "dmarc=fail" or "dmarc=softfail" and ends with "header.from=uncg.edu" then the email will be affected by the new controls being implemented (and you should contact ITS immediately to discuss options).
- You can also send a message to email@example.com, where it will be reviewed by ITS Email administrators.
Contact ITS via 6-TECH at (336) 256-TECH (8324) or 6-TECH@uncg.edu. You will need to provide the following information:
- Vendor/Service name
- Vendor/Service website URL
- Are you paying for this service? Yes/No
- Do you have a dedicated IP Address that the emails are sent from? Yes/No/Unsure
- Number of emails sent per day/month/year?
- UNCG email address that the emails appear to be from
- Recipient Types: UNCG users only / Non-UNCG users / Students / Faculty / Staff / Other
- When was the last time a message was sent using this service/vendor?
You will also be asked to send example messages to firstname.lastname@example.org so that ITS Email administrators can verify settings before and after any changes are made.