Email Authenticity

Please see our Email Service Configuration page for more information on third-party email service configuration and consultation requests.

Achieving email authenticity is part of an ongoing effort to protect users from spam, phishing, as well as improve the reputation of email sent from UWM.

University email administrators have deployed the Domain-based Message Authentication, Reporting & Conformance (DMARC) framework to provide email service owners with stronger control to prevent illegitimate use of UWM email addresses and ensure message delivery to recipients. Messages are “DMARC aligned” if they pass SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) checks, and the domain in the From Header matches the results of SPF/DKIM. The email address in the From Header is what recipients see.

DMARC allows email providers to verify that email was sent from a valid UWM address and not from phishers, spammers, or other unverified sources.

  • Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem as a whole become more secure and trustworthy.
  • Visibility: DMARC reports increase visibility into your email services by letting you know who is sending email from your domains.
  • Deliverability: The indirect results of implementing a good DMARC record have a positive effect on deliverability. Having valid SPF and DKIM authentication in place, with the identifiers aligned (the underpinning of DMARC) helps your emails reach inboxes. It is quite common for senders that do not have SPF, DKIM or both to not get their emails delivered or to have them throttled.
  • Reputation: Publishing a DMARC record protects the UWM brand by preventing unauthenticated parties from sending mail from UWM domains. In some cases, simply publishing a DMARC record can result in a positive reputation bump.

What is SPF?

Sender Policy Framework (SPF) is used to authenticate the sender of an email. An SPF record is published in a domain’s DNS record. The record is a list of all the IP addresses or domains that are allowed to send email on behalf of the domain. With an SPF record in place, ISPs can verify that a mail server is authorized to send email for a specific domain. If a domain publishes an SPF record, spammers and phishers are less likely to forge emails pretending to be from that domain, because the forged emails are more likely to be caught in spam filters which check the SPF record.

What is DKIM?

DomainKeys Identified Mail (DKIM) is an open standard for email authentication that is used for the authentication of an email that is being sent. A DKIM record is added to the DNS record of the sending domain and will contain a public key that is used by receiving mail servers to verify a message’s signature. The key is often provided by the organization that is sending the email, for example, Office 365 or Emma. DKIM gives emails a signature header that is added to the email and secured with encryption. Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination. When an inbound mail server receives a message, it will detect the DKIM signature and look up the sender’s public DKIM key in DNS. If the key is found, it can be used to decrypt the DKIM signature. This is then compared to the values retrieved from the received mail and if they match, the DKIM is valid.

What is DMARC alignment?

Alignment refers to the relationship between the domain in the From Header address of a message and the domains associated with SPF and DKIM authentication checks. Alignment requires that these domains match and only emails that are aligned can pass DMARC. It’s important to understand that neither SPF or DKIM, on their own, have anything to do with a message’s From address, which is what people typically see on an email. This is why phishing and spoofing run rampant today; there are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict email domain usage is DMARC. Alignment is at the heart of DMARC and it is what makes the connection between the authentication mechanisms of SPF and DKIM and the enforcement policy for unauthenticated mail as dictated in the DMARC record.

Approved, Verified, and ConfiguredUnapproved, Unverified, and Not Configured
Office 365 services
  • End-users sending outbound messages via Outlook

  • Office 365 Groups and Teams
Third-party, vendor provided email services that are not configured to work with DMARC controls
pantherLISTNon-UWM email accounts that send as a address
EmmaThird-party email scripts/servers that don’t send email using on-campus mail services
SMTP Relay
Other third-party services that are configured to work with DMARC and send using a subdomain