Privacy & Cybersecurity: Authorized Illinois Email (DMARC) Effort FAQ

FAQ for Illinois Enterprise Email Source Authorization/DMARC Effort

What is this effort all about?

With university email management and controls in their present state, anyone from anywhere can send legitimate or illegitimate Illinois email to anyone on the internet. To solve this, we will catch up on implementing some well-established internet email control standards so we may inform everyone receiving or processing Illinois email whether it should be trusted or not.

 
Right now, the issue impacts the university in technical ways certainly, but more importantly, it hits home in ways that negatively impact reliability of our business communications systems in general, cybersecurity of everyone in the ecosystem, trust in our Illinois brand, and overall reputation.

What does the problem look like right now?

In a recent 30-day survey of internet mail reportedly coming from Illinois*, there were approximately 200 sources of "official" Illinois email worldwide, most of which (all but 20 or so) could not be easily verified or validated as "official or authorized. We simply do not have a good idea about what we ought to trust or accept, and neither does anyone else on the internet. This is why some big email providers have been quarantining or rejecting Illinois email. For example, many U.S. Government granting authorities (DoE, DoD, etc) now require DMARC be implemented, else they threaten to reject our email. Yahoo regularly quarantines Illinois email.
"Illinois email" is any email sent using @illinois.edu, @uillinois.edu, or @uiuc.edu 

Why did we end up in such a pickle?

The "why" is complex, but the current state mostly a function of our organic, several, and silo-ed email development and habits over time, and a slow progression of outside abuse that crept up also over time. The problem evolved slowly from "not a problem" to eventually "very concerning" as of late.

What are we doing about it?

We are implementing the common standard internet email validation control protocol, DMARC.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 5 things:

    1) Identify and give ample notice to university stakeholders who generate, buy solutions to, or hire vendors to send official *Illinois email.
    2) Provide guidance on the standard and what it means.
    3) Provide guidance on how to route official email through established solutions, or implement DMARC controls
    4) Provide support and guidance to non-technical audiences who need to convey the new requirement to a provider or vendor.
    5) Quickly implementing and enforcing DMARC for the university, such that it starts excluding all unauthorized mail sent from anywhere, to anywhere.

What solutions are recommended?

For vended solutions:

    1) Work with your vendor to implement Illinois DMARC controls
        Please see:
        Illinois Knowledge base: Email, Configuring Authenticated Email using a vendor DKIM record
        DMARC.org: https://dmarc.org/
        IETF RFC 7489 (RFC for the DMARC standard): https://tools.ietf.org/html/rfc7489
    2) Have the vendor change the configured sender to be an account in an internet domain (ex. @example.com) they control.

For cloud solutions

Use the Campus Cloud Emailer service
    See related internal KB articles:
        Cloud Email Delivery Service, What is it and How Can I Use It?
        Cloud Email Delivery Service, Configuring use of the Cloud Email Delivery Service

For on-prem Illinois Email technologies and solutions

    The Campus Relays service has DMARC already configured. So if your solution already uses this to send through, you're all set!
    If not already doing so, Configure your service to send out using the Campus Relays
    See Email, Unauthenticated SMTP for campus printers, web services, etc.

Who can I contact to get information on evaluating my Illinois email-sending solution?

When you are ready, send an email to consult@illinois.edu.

Include whether you are inquiring about a technology that you run, a vendor product, or something that someone else runs for you. Include as much detail as you feel will inform enough on your context to set the conversation down the right path.

Are there other efforts related to this one?

Yes, the employee email auto-forwarding policy effort. See Privacy & Cybersecurity, Faculty and Staff Email Auto-forwarding Retirement FAQ.