/ Information Technology/Get Help/Information Security

DMARC Implementation

What is DMARC?

Email addresses are often spoofed, allowing spammers and attackers to impersonate trusted entities, including our college. This often shows up as impersonation of the college president, HR, and supervisors. To address this issue, we are implementing DMARC, an email authentication protocol that enhances the security of our email system. DMARC works in conjunction with other protocols such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the authenticity of emails and prevent fraudulent messages from reaching your inbox. You can review additional information in the accordion below. The DMARC process is seamless and runs at a domain level with no need for user interaction, in most circumstances. DMARC essentially confirms that the sender is really who they claim to be.

An Airport Analogy

It may be helpful to think of this new email security protocol, (DMARC,) like security at the airport. When fully implemented, this protocol will involve three components based on this analogy: a boarding pass, security, and the departure gate.

Boarding Pass

First, you need a boarding pass to show that you are a legitimate passenger on a specific airline. This boarding pass would contain information such as your identity (username) and a departure airport (@lclark.edu). This is analogous to the DMARC protocol that will verify that the email sender is authorized to send emails on behalf of Lewis & Clark College.

Security

Second, your boarding pass is checked by security. The boarding pass contains a unique barcode or identifier, which is verified at the gate to ensure that you are the rightful owner of the ticket. Security checks that your real identity (username) matches what is on the ticket, and that you are at the correct departure airport (@lclark.edu). This is analogous to the DMARCsecurity protocol that adds a digital token to the email, allowing the recipient to verify its authenticity by comparing the signature with what we have on record for this sender.

Departure Gate

Finally, a gate agent reviews your boarding pass and security token and if you pass, you board the plane and begin your travels. DMARC acts in a similar way. If your identity is not valid , if you are not allowed to send from Lewis & Clark College, or the digital token we have on record, the email is rejected.

Technical Details

In addition to protecting your inbox, DMARC also protects the college’s identity. DMARC helps receivers confirm that LC emails are legitimate, in addition to protecting the email reputation of our @lclark.edu domain. Without DMARC, bulk false emails from a fakeuser@lclark.edu to receiver@ anotheremail.edu could lead to the @lclark.edu domain being placed on a blacklist. This would ultimately mean @lclark.edu emails could end up in the spam folder of other institutions’ inboxes.

SPF allows a domain (such as our college domain) to define which mail systems are authorized to send emails on its behalf. SPF records are published in the domain’s DNS (Domain Name System) records. When an email server receives a message from our college domain, it queries the SPF record to check if the sending server is authorized to send emails on behalf of our domain. If the sending server is listed as a trusted source in the SPF record, the email is considered authenticated.

DKIM adds a digital signature to each outgoing email from our college domain. The signature is created using a private key stored on our email server, and a corresponding public key is published in the DNS records of our domain. When an email server receives a message from our domain, it checks the DKIM signature by decrypting it using the public key. If the signature is valid and matches the content of the email, the message is considered authenticated.

DMARC policies define how email receivers should handle messages that fail SPF or DKIM authentication. These policies are published in our domain’s DNS records. We can specify actions to be taken on failed emails, such as blocking them, quarantining them, or marking them as spam. DMARC also includes a mechanism called alignment, which ensures that both SPF and DKIM align with the sender’s domain. In other words, the “From” header domain in the email matches the results of SPF and DKIM checks. Alignment adds an extra layer of assurance that the email is genuinely sent from our college domain.

Reporting and Monitoring

DMARC provides reporting capabilities that give us valuable insights into email delivery and authentication failures. We receive regular reports from email receivers, detailing the results of SPF and DKIM checks for emails sent from our domain. These reports help us identify any unauthorized sources or potential issues with our email authentication setup. By analyzing these reports, we can take appropriate measures to maintain a secure email environment and ensure the integrity of our email communications.

Summary of DMARC Benefits

Reputation: DMARC protects our college’s brand by preventing unauthorized parties from sending emails from our domain, which can positively impact our reputation.
Visibility: DMARC provides valuable reports that increase visibility into our email program, allowing us to identify and track who is sending emails on behalf of our domain.
Security and Authenticity: By adopting DMARC, we contribute to a more secure and trustworthy email ecosystem, ensuring that emails from our college are authenticated and legitimate.

Impact on Users Sending Email through a Third Party

If you send emails using a third-party service and have an email address with our college domain, it’s important to ensure that your third-party service aligns with the DMARC policies we’re implementing. This alignment ensures the successful delivery of your emails without any disruptions. To ensure compliance with DMARC requirements, we kindly request that you fill out the Google Form to ensure setup and validation for your third-party vendor application or email service. You must complete this form prior to September 30th. Some examples of these services are MailChimp, Capterra, and Hubspot. This form will ask you to provide information of the client you are using and give IT the opportunity to meet with you and ensure your work is not impacted.

Timeline:

Summer - October 2023

IT enables advanced email scanning to protect against malicious emails
IT directs employees to Email Security Project Landing Page and continues outreach and meetings with departments
IT analysis of advanced reporting tools to identify individuals and departments who could be affected by advanced email security filters and by the use of third party email platforms
Departments and Administrators register their use of all third party email platforms with IT here prior to September 30, 2023
IT communicates with each registered user to verify and authenticate email service with the lclark.edu domain

November - January 2024

IT continues communication and outreach about changes to email security filters and authentication practices
A warning banner will be displayed on all emails that get caught in advanced security filters

January - February 2024

Emails that get caught in advanced security filters will be sent to spam
Emails from third party vendors that have not registered with IT will be quarantined. (only Google Administrators can access these emails)

March 2024 - Full DMARC enforcement

New security protocols are enforced for all third party email senders.
Emails from third party senders who have not registered will be rejected.
Send all email that gets caught in advanced security filters to administrative quarantine (only Google Administrators can access these emails)

Contact

If you have any questions or need further assistance, please don’t hesitate to contact Goddardm@lclark.edu. Thank you for your cooperation as we work together to ensure the security and authenticity of our email communications.