Please see our Email Service Configuration page for more information on third-party email service configuration and consultation requests.

Achieving email authenticity is part of an ongoing effort to protect users from spam, phishing, as well as improve the reputation of email sent from UWM.

University email administrators have deployed the Domain-based Message Authentication, Reporting & Conformance (DMARC) framework to provide email service owners with stronger control to prevent illegitimate use of UWM email addresses and ensure message delivery to recipients. Messages are “DMARC aligned” if they pass SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) checks, and the domain in the From Header matches the results of SPF/DKIM. The email address in the From Header is what recipients see.

DMARC allows email providers to verify that email was sent from a valid UWM address and not from phishers, spammers, or other unverified sources.

Sender Policy Framework (SPF) is used to authenticate the sender of an email. An SPF record is published in a domain’s DNS record. The record is a list of all the IP addresses or domains that are allowed to send email on behalf of the domain. With an SPF record in place, ISPs can verify that a mail server is authorized to send email for a specific domain. If a domain publishes an SPF record, spammers and phishers are less likely to forge emails pretending to be from that domain, because the forged emails are more likely to be caught in spam filters which check the SPF record.

DomainKeys Identified Mail (DKIM) is an open standard for email authentication that is used for the authentication of an email that is being sent. A DKIM record is added to the DNS record of the sending domain and will contain a public key that is used by receiving mail servers to verify a message’s signature. The key is often provided by the organization that is sending the email, for example, Office 365 or Emma. DKIM gives emails a signature header that is added to the email and secured with encryption. Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination. When an inbound mail server receives a message, it will detect the DKIM signature and look up the sender’s public DKIM key in DNS. If the key is found, it can be used to decrypt the DKIM signature. This is then compared to the values retrieved from the received mail and if they match, the DKIM is valid.

Alignment refers to the relationship between the domain in the From Header address of a message and the domains associated with SPF and DKIM authentication checks. Alignment requires that these domains match and only emails that are aligned can pass DMARC. It’s important to understand that neither SPF or DKIM, on their own, have anything to do with a message’s From address, which is what people typically see on an email. This is why phishing and spoofing run rampant today; there are very few controls that prohibit bad actors from sending an email as you. The primary control to observe and restrict email domain usage is DMARC. Alignment is at the heart of DMARC and it is what makes the connection between the authentication mechanisms of SPF and DKIM and the enforcement policy for unauthenticated mail as dictated in the DMARC record.