Topics Map > Communication and Collaboration > Email
Privacy & Cybersecurity: Authorized Illinois Email (DMARC) Effort FAQ
FAQ for Illinois Enterprise Email Source Authorization/DMARC Effort
What is this effort all about?With university email management and controls in their present state, anyone from anywhere can send legitimate or illegitimate Ã¢â¬ Illinois email to anyone on the internet. To solve, we will catch up on implementing some well-established internet email control standards so we may inform everyone receiving or processing Illinois email whether it should be trusted or not.
Right now, the issue impacts the university in technical ways certainly, but more importantly, it hits home in ways that negatively impact reliability of our business communications systems in general, cybersecurity of everyone in the ecosystem, trust in our Illinois brand and overall reputation.
What does the problem look like right now?In a recent 30-day survey of internet mail reportedly coming from Ã¢â¬ Illinois, there were approximately 200 sources of "official" Illinois email worldwide, most of which (all but 20 or so) could not be easily verified or validated as "official or authorized. We simply do not have a good idea about what we ought to trust or accept, and neither does anyone else on the internet. This is why some big email providers have been quarantining or rejecting Illinois email. For example, many U.S. Government granting authorities (DoE, DoD, etc) now require DMARC be implemented, else they threaten to reject our email. Yahoo regularly quarantines Illinois email.
Why did we end up in such a pickle?The "why" is complex, but the current state mostly a function of our organic, several, and silo-ed email development and habits over time, and a slow progression of outside abuse that crept up also over time. The problem evolved slowly from "not a problem" to eventually "very concerning" as of late.
What are we doing about it?We are implementing the common standard internet email validation control protocol, DMARC.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 5 things:
1) Identify and give ample notice to university stakeholders who generate, buy solutions to, or hire vendors to send official *Illinois email.
2) Provide guidance on the standard and what it means.
3) Provide guidance on how to route official email through established solutions, or implement DMARC controls
4) Provide support and guidance to non-technical audiences who need to convey the new requirement to a provider or vendor.
5) Quickly implementing and enforcing DMARC for the university, such that it starts excluding all unauthorized mail sent from anywhere, to anywhere.
What solutions are recommended?
For vended solutions:1) Work with your vendor to implement Illinois DMARC controls
Illinois Knowledge base: "Email, Configuring Authenticated Email using a vendor DKIM record "
IETF RFC 7489 (RFC for the DMARC standard): https://tools.ietf.org/html/rfc7489
2) Have the vendor change the configured sender to be an account in an internet domain (ex. @example.com) they control.
For cloud solutions
Use the Campus Cloud Emailer serviceSee related internal KB articles:
"Cloud Emailer Service, What is it and How Can I Use It? "
"Cloud Emailer Service, Configuring use of the Cloud Emailer Service "
For on-prem Illinois Email technologies and solutionsThe Campus Relays service has DMARC already configured. So if your solution already uses this to send through, you're all set!
If not already doing so, Configure your service to send out using the Campus Relays
See "Email, Unauthenticated SMTP for campus printers, web services, etc."
Who can I contact to get information on evaluating my Illinois email-sending solution?
When you are ready, Send an email to firstname.lastname@example.org
Are there other efforts related to this one?
Yes, the "Employee email auto-forwarding policy effort. See " "
Ã¢â¬ "Illinois email" is any email sent using @illinois.edu, @uillinois.edu, or @uiuc.edu