With university email management and controls in their present state, anyone from anywhere can send legitimate or illegitimate
to anyone on the internet. To solve this, we will catch up on implementing some well-established internet email control standards so we may inform everyone receiving or processing Illinois email whether it should be trusted or not.
"Illinois email" is any email sent using @illinois.edu, @uillinois.edu, or @uiuc.edu
Why did we end up in such a pickle?
The "why" is complex, but the current state mostly a function of our organic, several, and silo-ed email development and habits over time, and a slow progression of outside abuse that crept up also over time. The problem evolved slowly from "not a problem" to eventually "very concerning" as of late.
What are we doing about it?
We are implementing the common standard internet email validation control protocol, DMARC.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 5 things:
1) Identify and give ample notice to university stakeholders who generate, buy solutions to, or hire vendors to send official *Illinois email.
2) Provide guidance on the standard and what it means.
3) Provide guidance on how to route official email through established solutions, or implement DMARC controls
4) Provide support and guidance to non-technical audiences who need to convey the new requirement to a provider or vendor.
5) Quickly implementing and enforcing DMARC for the university, such that it starts excluding all unauthorized mail sent from anywhere, to anywhere.
What solutions are recommended?
For vended solutions:
1) Work with your vendor to implement Illinois DMARC controls
Illinois Knowledge base: Email, Configuring Authenticated Email using a vendor DKIM record
IETF RFC 7489 (RFC for the DMARC standard): https://tools.ietf.org/html/rfc7489
2) Have the vendor change the configured sender to be an account in an internet domain (ex. @example.com) they control.
For cloud solutions
Use the Campus Cloud Emailer service
See related internal KB articles: Cloud Emailer Service, What is it and How Can I Use It? Cloud Emailer Service, Configuring use of the Cloud Emailer Service
For on-prem Illinois Email technologies and solutions
The Campus Relays service has DMARC already configured. So if your solution already uses this to send through, you're all set!
If not already doing so, Configure your service to send out using the Campus Relays
See Email, Unauthenticated SMTP for campus printers, web services, etc.
Who can I contact to get information on evaluating my Illinois email-sending solution?
When you are ready, send an email to firstname.lastname@example.org.
Include whether you are inquiring about a technology that you run, a vendor product, or something that someone else runs for you. Include as much detail as you feel will inform enough on your context to set the conversation down the right path.
Are there other efforts related to this one?