What Is DMARC?

DMARC is a set of standards and policies used to validate the authenticity of an email’s sender and prevent delivery of “spoofed” email. 

“Spoofing” is when a sender has disguised who they are to appear to be someone other than who they are, usually to impersonate a trusted or legitimate account. To avoid having your email considered “spoofed,” your email should always be sent using an approved service. 

Cornell Official Email Services

When you send email using your Cornell NetID email address, or a Cornell email alias address linked to your NetID address, you must use an email client such as Outlook, Apple Mail, Thunderbird, or Gmail set up for one of these mail services:

• Cornell's Microsoft Mail Service (“Microsoft Exchange”)
• Cornell's Google Mail Service (“Cornell Google Workspace”)

Your email will not be tagged as “spoofed” and blocked by DMARC policy if you use an email client with one of these services to send mail from your Cornell email address.

Email Practices That Risk Being Blocked

Starting January 28, 2026, Cornell’s DMARC policy will be enforced. Some examples of email setups that will fail DMARC include the following:

• If someone else has spoofed your email address without your knowledge, it will fail DMARC. This is what DMARC security policy has been designed to detect and prevent.
• If you send email using your Cornell email address through email services other than those mentioned above (such as a personal Gmail account), it will be blocked by DMARC and not delivered.
• If you use a third-party email and marketing vendor to send mass communications (for example, MailChimp or Constant Contact) and use your Cornell NetID email address as the sender “From” address, the mass communication will be blocked.
• If a message has been sent via a Google Group, the email appearance may change from what you are used to. Email sent via Google Groups will likely continue to be delivered after Cornell DMARC policy is enforced. However, details in the email's header may be changed.
  • Testing indicates that, for the “From” field, Google Groups replaces your email address with the group's posting address, while keeping your name as the "From" display name. (For example, the “From” field might resemble “Phil Schmertz via My Group <mygroup@googlegroups.com>”.)
  • Also, Google Groups adds a “Reply-to” header field with your email address, so if another group member replies to your group email, it will go only to you. To reply to the entire group, use your email client’s Reply All feature.
• If a message has been sent via a non-Cornell e-list (may also be called a mailing list or listserv), we expect that most modern email lists will support DMARC properly, so your email posts will not be rejected. This includes Listserv software commonly used in higher-ed organizations, which will correctly update the From address in your email post if it detects the sender's domain (that is, Cornell’s domain) has a “p=reject” DMARC policy. 
  
  However, users may currently be seeing their posts tagged as risky because Cornell’s “p=reject” DMARC policy is not yet in place. This change will take place on Wednesday, January 28, 2026. Before that date, the email list you send to will not detect an updated security setting, and therefore will not make the From address change automatically, which, to Cornell’s security measures, flags it as a possible spoof. After the January 28 change is made, this will no longer happen and your email posts should be delivered as expected. 
• If an originally legitimate email is forwarded multiple times, it can result in an email failing DMARC security policy and not being delivered. This may happen when an account that automatically forwards all email is used to subscribe to Google Groups, e-Lists, or other email lists. When subscribing to an email list, consider using an email account that does not automatically forward email.

Note that mass communications sent using Marketing Cloud or Lyris will not be blocked.

For guidance on properly setting up a process for sending mass communications, visit Official Mailings and Third-Party Mail Senders.

For background on Cornell’s DMARC Enforcement initiative, visit Cornell Moves Forward on DMARC Enforcement to Prevent Email Fraud.