Beginning this summer, CIT will launch an initiative to significantly improve email security at Cornell by implementing Domain-based Message Authentication, Reporting, and Conformance ("DMARC") at Cornell.

Cornell users who send bulk emails (such as, but not limited to, e-newsletters or organizational updates) either directly or using a third-party email service, should pay particular attention to this project. The proposed changes will likely affect the delivery of such email if it is not properly configured.

The process of education, outreach, testing, and finally implementation of the new protocol is expected to last through Summer 2024.

About DMARC and Email Spoofing  

The DMARC protocol was designed to provide those responsible for email domains such as "cornell.edu" a means to protect against email spoofing. A spoofed email message is one that appears to have been sent by someone other than the actual sender, generally impersonating an email address within the same organization, to gain the recipient's trust.

Malicious users frequently use spoofed emails to deliver malware-infected email attachments or email that includes links to malware websites. Masquerading as an email from a trusted contact or institutional authority, hackers can often trick users into opening risky attachments or following dangerous links.

DMARC uses email authentication standards such as Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) and official email domain server records to evaluate the headers of an incoming email message. When an email fails the DMARC test, it is blocked by the email server and will not be delivered to the recipient.

It is also important to bear in mind that malicious email that spoofs Cornell addresses can damage the university’s  email domain reputation. So, in addition to reducing the incidence of malware infection, curbing incidents of spoofing will improve the overall deliverability of legitimate Cornell email in general.

"Legitimate" Spoofers

Because some campus organizations, departments, and offices who send newsletters or other mass-distribution email have informally used invented email addresses or addresses that belong to someone else in mailings, they will be affected by tighter email security. Also, senders using third-party email services that have not been properly configured can also inadvertently run afoul of tighter email security.

These "legitimate" spoofers need to be identified and provided with documentation on how to properly configure their messages to avoid interfering with their academic and business need to reach out to their readers.

Implementing DMARC at Cornell

It is expected that the process of identifying email administrators and senders of email messages that might be affected by the implementation of DMARC will take many months. The CIT Email Services team has already been collecting and reviewing extensive data on delivered email for this purpose.

It is expected that several rounds of research into email that would fail DMARC tests and outreach to its senders will be required to avoid affecting legitimate users at Cornell. Once identified, potentially affected email senders will be directed to documentation on how to correctly configure their email using an EGA resource email account or properly configuring their third-party email sender.

Current CIT documentation about properly configuring mailings and third-party services can be found at Official Mailings and Third-Party Mail Senders. If you send organizational email and think you might be affected by these upcoming changes, reach out to the Email Services team at dmarc-help@cornell.edu.