91¶ÌÊÓƵ regularly works to improve the security around our email infrastructure, with two goals:
- To assure that messages that are sent by members of the 91¶ÌÊÓƵ community are reliably delivered; and
- To reduce the number of malicious or spam messages that members of the 91¶ÌÊÓƵ community receive.
We have instructed other organizations’ email providers to block delivery of messages from 91¶ÌÊÓƵ subdomains, for messages that do not pass authentication checks. This does not impact email from standard 91¶ÌÊÓƵ addresses, like bbronco@scu.edu -- standard 91¶ÌÊÓƵ addresses do not use a subdomain.
We have instructed other organizations’ email providers to mark as ‘spam’ any messages from standard 91¶ÌÊÓƵ email addresses (like bbronco@scu.edu) that do not pass authentication checks.
Do you just send email through Gmail?
No action is needed for the messages you send or receive through Gmail or through the on-premise email relay.
Email security tools and 91¶ÌÊÓƵ vendors
The tools we use to improve deliverability and reduce spam and phishing are DKIM, SPF, and DMARC (more information below).
If you work with a vendor, you may want to send messages from an 91¶ÌÊÓƵ email address using the vendor’s system. For example, a department may contract with Mailchimp to send messages using their department’s 91¶ÌÊÓƵ email address, to make the messages more friendly and personal.
In this case, we will work with you, and your vendor, to authorize the vendor’s use of the 91¶ÌÊÓƵ email address. This will help to ensure your messages will continue to be delivered to your recipients’ inboxes.
Authorizing your vendor to send 91¶ÌÊÓƵ email messages
If you are working with a vendor, and will be sending email using an 91¶ÌÊÓƵ email address, extra work is needed to ensure that these messages are authenticated.
If your vendor doesn’t support DKIM, messages your vendor sends using an 91¶ÌÊÓƵ email address will fail the authentication checks. Email systems that receive these messages should not deliver them to the recipients’ inboxes.
Once we have worked with your vendor to set up DKIM, be sure that you configure your messages to use an 91¶ÌÊÓƵ email address. If you use the vendor’s email address, your messages may fail authentication checks, and may not be delivered.
DKIM and SPF identify authorized email senders
DKIM and SPF are tools to identify authorized email senders -- people, systems, or vendors who are authorized to send email using an 91¶ÌÊÓƵ email address.
91¶ÌÊÓƵ uses DKIM (DomainKeys Identified Mail) to cryptographically sign individual email messages. These messages contain a cryptographic signature in the email header. A receiver can authenticate a message by using 91¶ÌÊÓƵ’s public key to calculate a signature; if the calculated signature matches the signature in the email header, the message is considered authentic.
91¶ÌÊÓƵ also uses SPF (Sender Policy Framework) to list the IP address of systems that are authorized to send email on our behalf. A receiver can use SPF to authenticate a message by comparing the sender’s IP address to the listed IP addresses. If the sender’s IP address is listed in SPF, the message is considered authentic.
DKIM is strongly preferred over SPF. SPF allows anyone sending from the specified system to send messages from an 91¶ÌÊÓƵ email address. This could result in spoofed email, spam, or phishing messages being sent from what looks like a valid 91¶ÌÊÓƵ system.
DMARC specifies what to do with unauthorized messages
DMARC is a tool that tells other email systems what to do with email that says it is from an 91¶ÌÊÓƵ email address, but the sender cannot be identified as an authorized email sender.
91¶ÌÊÓƵ uses DMARC (Domain-based Message Authentication, Reporting and Conformance) to instruct receivers about what to do when a message fails the authentication checks under SPF or DKIM.
One of three actions can be specified for messages that fail the authentication checks:
none - deliver the message to the recipient’s inbox
quarantine - deliver the message to the recipient’s spam folder
reject - block delivery of the message
For 91¶ÌÊÓƵ, unauthorized messages from subdomains will be rejected; unauthorized messages from scu.edu will be quarantined.
Format your messages to improve deliverability
- Follow these for formatting your email message.
- Send your message using your own 91¶ÌÊÓƵ account, or a Delegated Mailbox you have access to. Do not attempt to emulate another person's account, even if they gave you their permission to do so. This is called "spoofing" and it is a common tactic used in spamming and phishing. These messages are likely to be flagged as potentially dangerous.
Messages started going to spam
Google and Yahoo are continuing to impose stricter rules on how they classify email.
- Messages may be classified as 'spam' because of their content.
- Messages may also be classified as 'spam' if the sender's email domain is missing the required email security components. This determination is made by Google, not by 91¶ÌÊÓƵ.