Email Authentication Policies
Introduction
To enhance email security and maintain compliance with other mailbox providers (e.g., Gmail, etc.), Tufts University will be rolling out policies around the routing of inbound and outbound email. The goal of these changes is to improve email validation and reduce spam and spoofing.
This rollout will be done in phases to minimize disruption and allow for detailed investigation and preparation.
The focus will be on three email authentication technologies – SPF, DKIM, and DMARC.
Security policies around SPF, DKIM, and DMARC rely on Domain Name System (DNS) records that are published by domains that send email. Email recipients rely on these records for authentication as described below.
- SPF (Sender Policy Framework) - SPF is a published list of authorized senders from a domain. Organizations use it to specify which IP addresses are approved for sending outgoing messages on its behalf, including mail system addresses of its own domain and partner domains. This allows a recipient to check if an incoming message was sent by an approved sender.
- DKIM (DomainKeys Identified Mail) - DKIM is an encrypted email signature that domains can apply to outgoing messages. This allows a recipient to check that an incoming message is coming from a validated sender and that it has not been tampered with in transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) - DMARC takes existing SPF and DKIM policies and enhances them even further. It gives a recipient specific directions how to handle incoming messages that seem to come from a particular sender, but fail SPF and DKIM checks. Possible actions include do nothing, quarantine, or reject. DMARC policies also specify when/how to report data back to the supposed sender domain so that they can monitor the effectiveness of their own anti-spoofing policies.
Email Routing Policies at Tufts
The sections below contain information about current and future policies at Tufts University.
Description
Proofpoint, Tufts’ spam filtering tool, will be configured to validate the SPF (Sender Policy Framework) of incoming email messages. When a message is sent to a Tufts address, Proofpoint will check if the sending address is authorized to send messages from that domain, thereby reducing potential spoofing. Incoming messages that pass this check will be delivered to the intended recipient as usual.
Incoming messages that do NOT pass this check will be handled differently depending on the reason for their failure. Possible outcomes include:
- Quarantine – The message will be sent to intended recipient’s Proofpoint Quarantine folder and be held there for 2 weeks before being automatically rejected. Users will be notified of quarantined messages via their Proofpoint daily digest. To learn more about how to check your Quarantine folder, visit the Tufts Proofpoint user guide.
- Reject – The message will not be delivered and the sender will be notified of the failure.
Potential Impact
Some domains configure their Sender Policy Framework in a way that prohibits the forwarding of messages that originated from their domains. Tufts will enforce such policies, which will result in the rejection of those emails.
Example – An email is sent from a Vendor to your private Gmail address, which you then forward to your Tufts address. This may look like spoofing because Proofpoint will see that the email supposedly originated from the Vendor’s domain but was sent from a Gmail address. If the Vendor has a SPF policy that says forwarding email this way is not allowed, Tufts will respect that policy and reject the email.
In the future, Tufts will be enforcing additional email authentication mechanisms in the following areas:
- DKIM on inbound mail
- DMARC on inbound mail
- Tufts outbound email already makes use of SPF, DKIM, and DMARC. Improvements to outbound email security will continue to be made going forward.
What do I need to do?
- When possible, try to have emails sent directly to your @tufts.edu email address rather than having them forwarded.
- Familiarize yourself with Proofpoint and how to access your quarantined email. Reminder: Proofpoint will send you a daily email digest to notify you of any suspicious emails that have been quarantined in the previous 24 hours.
Resources
For Assistance
Please email it@tufts.edu with the subject “Email Routing”.