Email Security - DMARC, SPF, DKIM

Body

Overview

Units who use off-campus services to deliver email on behalf of the @tamu.edu domain or subdomain may need to take action to ensure successful delivery of their messages.  

In addition, units who send to external senders, like @gmail.com recipients, from a tamu.edu subdomain, or boutique address, may also need to take action to ensure successful delivery of their messages, skip ahead to

Sending to External Recipients from Boutique Addresses.

Texas A&M Technology Services has enabled the anti-spoofing protocol DMARC for the root tamu.edu domain. DMARC compliance is a very technical topic involving several related, though different, protocols that work together to verify the legitimacy of an email. While this document is intended to explain what these protocols are and how to use them, these concepts can be difficult to understand. If you simply need to know if your marketing campaign is compliant, or what actions you need to take, skip ahead to Checking your Marketing Platform’s DMARC Compliance.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that provides three unique mechanisms to protect email domains.

  1. DMARC combines the authorization and authentication results of two other protocols, SPF and DKIM, to determine whether email sent from your domain is authentic.
  2. DMARC publishes a public policy instructing recipient servers how to respond if they receive email from your domain that was determined to be inauthentic.
  3. DMARC provides reporting mechanisms for domain owners to monitor, assess, and confirm that mail being sent from their domain is legitimate.

If you are sending email from the @tamu.edu domain or subdomain from off-campus services, it is up to you to ensure that your email has been properly authenticated with these protocols.

What is SPF?

Sender Policy Framework (SPF) is a method of email authorization used to specify which servers are permitted to send on behalf of a domain. SPF helps prevent spoofing, where an email is made to appear as if it came from an organization when, in reality, it did not. SPF operates on the email envelope, not the body or message header.

SPF has a limitation on the number of networks that are permitted to send on behalf of a domain. Because Texas A&M University is such a large, diverse organization, we focus primarily on DKIM compliance.

See Sender Policy Framework for more details.

What is DKIM?

Domain Keys Identified Mail (DKIM) is a method of email authentication used to ensure that messages have not been altered in-flight, and that the message header sender (the sender that is displayed to the recipient in their mail client) is authorized to send email on behalf of a domain.

DKIM is implemented with DNS records, additional email headers, and cryptographic signing techniques. While the protocol may be very complicated, almost every modern email service in the world provides an easy mechanism to get you set up.

Checking your Marketing Platform’s DMARC Compliance

Technology Services provides an automated tool that you can use to check your platform’s compliance with DMARC. 

https://dmarc-check.itsec.tamu.edu 

After navigating to this site, you will be presented with a unique email address in the form of:

##########@dmarc.itsec.tamu.edu

This is a one-time-use address to which you can send an email from your marketing platform to check DMARC compliance. Simply create a test campaign with this address as a recipient, and send a message.  Be patient!

Marketing services may queue mail for several minutes. If you navigate away from this page before the email is received, you will need to start over.

Once received, the tool will attempt to automatically evaluate your message for compliance and display the results on the screen. Should any action be required to become compliant, you will be presented with a list of resources that you can reference.

If the tool reports a DKIM failure, you can follow the steps below for your specific platform to enable DKIM. If your platform is not listed below and our generic guidelines do not apply, please contact security@tamu.edu for assistance.

Note: This tool is only useful for email sent from an @tamu.edu domain or subdomain.

DKIM Setup for Marketing Platforms

DKIM is widely supported by marketing platforms such as MailChimp and Constant Contact. The process of enabling DKIM varies for each platform, but we have included instructions for some of the most common ones below. 

Mailchimp

The majority of messages sent from 3rd parties on behalf of tamu.edu originate from MaliChimp. We’ve made it easy to configure DKIM on this platform. 

Simply Navigate to https://admin.mailchimp.com/account/domains/ and click “Start Authentication” next to the verified tamu.edu custom email domain. 

If tamu.edu is not listed under Custom Email Domain and https://dmarc-check.itsec.tamu.edu reported a DKIM failure, please reach out to security@tamu.edu for assistance.

Constant Contact

Enabling DKIM in Constant Contact requires the addition of TXT records into tamu.edu DNS. Follow the instructions below to retrieve the required records, then send them in an email to security@tamu.edu for processing.

Note: Failure to complete this entire process may result in a failure to deliver mail. The record creation by our team may take up to two working days. Please wait until a break in campaigns to initiate.

  1. Go to https://app.constantcontact.com/pages/myaccount/settings/adv
  2. Under “Self-authenticate your email address”,  select Add self-authentication
  3. Select Self-authenticate using a DKIM TXT record
  4. Click Continue
  5. Under Choose a domain to use for self-authentication,  select your domain (from your verified email address)
  6. Click Continue
  7. Click Generate Key
  8. Copy the values from the three Domain Host name and TXT record fields.
  9. Paste them in an email to security@tamu.edu.  Include the email address you will be using to send messages, and a general purpose for the account or service.
  10. Click Ok

After receiving the values, our team will create the required DNS records and ask that you run another test on https://dmarc-check.itsec.tamu.edu

Amazon Simple Email Service (SES)

Please see the following link for Amazon SES DKIM Setup:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html

Salesforce

Enabling DKIM in Salesforce requires the addition of CNAME records into tamu.edu DNS. Follow the instructions below to retrieve the required records, then send them in an email to security@tamu.edu for processing.

Note: Failure to complete this entire process may result in a failure to deliver mail. The record creation by our team may take up to two working days. Please wait until a break in campaigns to initiate.

  1. Go to the Salesforce Setup menu and type in DKIM in the quick find
  2. Click DKIM Keys
  3. Click Create New Key
  4. Enter 1024 for the key size
  5. Enter a short service name (eg: dit for Division of IT) -salesforce for the selector (eg: dit-salesforce)
  6. Enter a short service name (eg: dit for Division of IT) -salesforce-alt for the alternate selector (eg: dit-salesforce-alt)
  7. Enter tamu.edu for the domain
  8. Select Exact domain only for domain match
  9. Click Save
  10. Wait a few moments and then refresh the page. There should now be a table with CNAME records listed. 
  11. Copy the entire table and paste it into an email to security@tamu.edu.  Please include the email address you will be using to send messages, and a general purpose for the account or service. This will create an incident record in our ticketing system. You will receive notifications from this system as information is added to your record.

Technology Services will create the required DNS records after receiving the information from you. After we have confirmed that the records have been added to DNS, you will need to click activate in Salesforce on the same page as the table with the DKIM information. We ask that you then run another test on https://dmarc-check.itsec.tamu.edu.

SendGrid 

Enabling DKIM in SendGrid requires the addition of CNAME records into tamu.edu DNS. Follow the instructions below to retrieve the required records, then send them in an email to security@tamu.edu for processing.

Note: Failure to complete this entire process may result in a failure to deliver mail. The record creation by our team may take up to two working days. Please wait until a break in campaigns to initiate.

  1. Go to https://app.sendgrid.com/settings/sender_auth 
  2. Under “Domain Authentication: select Get Started in the “Authenticate Your Domain” section
  3. Select I’m Not Sure for “Which Domain Name Server (DNS) host do you use?”
  4. Select No for “Would you also like to brand the links for this domain?”
  5. Click Next
  6. Enter tamu.edu in the “Domain You Send From” input field
  7. Click Advanced Setting and select only:
    1. Use automated security
    2. Use a custom DKIM selector
  8. In the DKIM Selector input box, enter three random characters
    1. These three characters must be unique at TAMU. Technology Services might need you to modify this later if your combination is already in place.
  9. Click Next 
  10. Copy the values from the three Host and Value fields and paste them in an email to security@tamu.edu. Please include the email address you will be using to send messages, and a general purpose for the account or service. This will create an incident record in our ticketing system. You will receive notifications from this system as information is added to your record.

Technology Services will create the required DNS records after receiving the information from you. After we have confirmed that the records have been added to DNS, you will need to return to the SendGrid interface, select I've added these user records and then click Verify. We ask that you then run another test on https://dmarc-check.itsec.tamu.edu.

Generic DKIM Setup Guide

For marketing mail service vendors not listed above, check their documentation for the terms "DKIM" or "Email Authentication." Most platforms support DKIM. If you are unable to locate any resources, you will need to reach out to your vendor’s technical support for details. 

The general steps to enable DKIM are as follows:

  1. Provide your vendor with our domain (tamu.edu)
  2. The vendor will generate a single or set of DKIM keys and TXT (or CNAME) records
  3. You will forward the details of the generated records to security@tamu.edu. Include the email address you will be using to send messages, and a general purpose for the account or service.
  4. Technology Services will create the required DNS records and work with you to ensure that DKIM is properly configured.

DMARC Compliance for Wordpress

Becoming DMARC compliant with Wordpress requires a shared NetID  account and password, as well as authorization to send email via authenticated SMTP. Send an email to security@tamu.edu and please include the email address you will be using to send messages, as well general purpose for the WordPress instance. Once our team has authorized your Shared NetID to use authenticated SMTP, we’ll ask you to follow the instructions below:

  1. Install and activate the WP Mail SMTP plugin.
  2. Configure the WP Mail SMTP plugin to use “Other SMTP” with the following settings:
    • SMTP Host: relay.tamu.edu
    • Encryption: TLS
    • SMTP Port: 587
    • Authentication: ON
    • SMTP Username: [your_shared_netid]@tamu.edu
    • SMTP Password: [enter shared netid password]

Once your WP Mail SMTP plugin is configured, we’ll ask you to run another test on https://dmarc-check.itsec.tamu.edu.

Sending to External Recipients from Boutique Addresses

Many email service providers have increased the enforcement of mail security standards in order to reduce the amount of fraudulent mail.  This can create deliverability issues for many tamu.edu subdomains.  Becoming DMARC compliant by implementing DKIM can help reduce these deliverability issues.  

If you send mail using a boutique email domain (including subdomains of tamu.edu) and are experiencing delivery problems, please send an email to security@tamu.edu.  This will create an incident record in our ticketing system. You will receive notifications from this system as information is added to your record.

Details

Details

Article ID: 451
Created
Thu 5/2/24 10:59 AM
Modified
Thu 10/3/24 12:25 PM

Related Services / Offerings

Related Services / Offerings (1)

The "Email Support" Service offering allows for requests involving Email Relays or Email Inbox Creation, as well as incidents to be opened on Email issues.