- Email Authenticity (DMARC) - Knowledge Portal

University departments sending bulk emails or newsletters using a third-party or cloud-based service (Constant Contact, Salesforce, Blackbaud, Sendgrid, Qualtrics, Mailchimp etc.) will need to work with IT to comply with new anti-spam requirements beginning February 2024.

Google is requiring the use of Domain-based Message Authentication, Reporting & Conformance, or DMARC for short.

Why it Matters: If your third-party or cloud-based service is not DMARC-compliant, emails you send with them from a @ucf.edu email addresses or a UCF sub-domain (i.e., @mail.ucf.edu, @bus.ucf.edu etc.) won’t be delivered to recipients and could be flagged as spam.

How will DMARC implementation affect you?

While these requirements do impact every member of the UCF community, there is nothing you need to do if you do not use a third-party application or email service to send communications from a UCF email address. All changes are transparent to end-users and will take place entirely behind the scenes. In other words, your current user experience will remain the same: you won’t notice anything different about your UCF email account or how you use it.

Impact to UCF provided SMTP servers: If your application is configured to use the campus SMTP servers such as ucfsmtp.mail.ucf.edu or ucfsmtp1.mail.ucf.edu, or if it utilizes a UCF IT provided Sendgrid account (smtp.sendgrid.net), you are already in compliance, and your existing bulk email experience will remain unchanged. Take note that bulk emailers sending email to Google or Yahoo address still must offer a one-click unsubscribe via a list-unsubscribe header and include a clearly visible unsubscribe link in the body of your email.

Impact to third-party applications: If you do use third-party application or email services, starting February 2024, the following new guidelines for bulk senders (any email sent to more than 500 recipients per day is considered bulk or mass email) includes:

Bulk emailers must setup DKIM authentication for any third-party vendor applications (i.e., Constant Contact, Salesforce, Blackbaud, Sendgrid, Qualtrics, Mailchimp etc.) used to transmit mail on UCF's behalf.
Bulk emailers who transmit mail on UCF's behalf must stay below a spam complaint threshold. For Google, you need to stay below 0.1% and never hit 0.3%; for Yahoo, you need to be under 0.3%.
Bulk emailers must offer a one-click unsubscribe via a list-unsubscribe header and include a clearly visible unsubscribe link in the body of your email.
Bulk emailers will not impersonate From: headers.

Important Dates:

February 2024, All third-party application or email services that send in excess of 500 emails a day must be DMARC compliant. What this means is that messages that are not DMARC compliant are likely to end up in recipients’ spam folders, or be rejected, rather than their inboxes.
April 2024, Google and Yahoo will start rejecting a percentage of non-compliant email traffic and will gradually increase the rejection rate. For example, if 75% of a sender’s traffic meets their requirements, they will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant.
June 2024, Google and Yahoo will reject all non-compliant email traffic.

Take Action: If you are an account owner or administrator on one of these third-party or cloud-based services, it’s very important you work with IT to implement DMARC. Here’s how:

How to check compliance:

Send a test email from your third-party service to a personal @gmail.com address. In Gmail, open the email and click the three dots in the top right:
Select Show Original
Check the last box of the header. If this says FAIL, your emails are not properly authenticated.

If your email message does not pass DMARC: If you use a third-party vendor application or email service to send communications from a UCF email address, and it does not pass DMARC or, if you are unsure if your department's email application is in compliance, please contact the UCF IT Helpdesk:

Step 1) Initiate the process by submitting a DMARC/DKIM request to IT for consulting assistance in validating DMARC/DKIM.

Step 2) Following IT's review of your DMARC/DKIM request and if it is determined that your third-party application does not comply with DMARC, you will be required to open an additional ticket. This is necessary for submitting a DNS request once your third-party application provides the appropriate CNAME record. Depending on the platform, UCF IT will require specific information from your account to update the domain.

Note: If IT determines that your third-party application is already DMARC compliant, there will be no need for an additional DNS request, and you won't experience any changes in your email service or its usage.

What is DMARC and how does it work?

DMARC provides protection against spam and phishing emails and other spoofing attempts by adding an encrypted DKIM (DomainKeys Identified Message) signature and/or SPF (Sender Policy Framework) to verify the authenticity of any sender attempting to use the @ucf.edu domain, or any subdomains. This added safeguard provides an extra level of protection for any emails sent from an authorized University of Central Florida email address. DMARC also improves email reputation and Inbox placement.

A DMARC policy can be used to authenticate a sender’s domain, verify that the email transmitted by a sender are legitimate, and identify and monitor all approved/verified senders and third-party vendor applications (i.e., Constant Contact, Salesforce, Blackbaud, Sendgrid, Qualtrics, Mailchimp etc.) used to transmit mail on UCF's behalf. A DMARC policy also provides instructions to other email servers on how unauthenticated email should be handled by putting them in quarantine or Junk Email folder and in some cases, rejecting the email so that it is never delivered.

Why implement DMARC?

Email technology continues to evolve and DMARC has become one of the common solutions to verify email messages are legitimate.

Provides separation of approved and unapproved email messages. Without DMARC, it is possible for fraudulent spoofing of our university email domains. Properly implementing DMARC technology adds credibility to university messages.
DMARC has become an industry standard technology with large providers such as Google/Gmail, and some government agencies, requiring systems to implement the protocols. To continue successfully communicating with these providers, we must adapt.
Participating in DMARC compliance will help increase overall email authentication. As other organizations implement similar changes, phishing and other inappropriate spoofing will become less effective.

Benefits of DMARC

Reputation: Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain. In some cases, simply publishing a DMARC record can result in a positive reputation bump.
Inbox Placement: DMARC improves inbox placement and keeps messages from being flagged as junk email or being blocked entirely. Some government agencies, other organizations, and other mail systems (Gmail, Yahoo, etc.) are moving towards requiring email coming into their systems to be authenticated.
Visibility: DMARC reports increase visibility into your email program by letting you know who is sending email from your domain.
Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem become more secure and more trustworthy.