Outbound Email Security Guidelines (DMARC)
Emails are one of the most common mediums of business communication and bad actors continually look for opportunities to gain access to organisational as well as personal data by using scam emails to impersonate legitimate organisations.
As part of an ongoing effort to combat phishing scams and increase email security, the UWA University IT Team is implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. DMARC monitors mass mailing, hosted vendor applications, or mail servers used to send email on behalf of UWA (e.g. uwa.edu.au).
These improvements help to further protect the authenticity of the UWA brand by tackling email impersonation and spoofing attacks.
1. Who is this Guideline relevant to?
The Outbound Email Security Guideline (DMARC) is applicable to all University managed and/or hosted systems and applications and should be followed by respective Business and Technical System Owners who own or manage systems and applications that send email.
This guideline is based on best practice and standards published by the Australian Cyber Security Centre (ACSC) and supports implementation of the UWA Cyber Security Policy.
DMARC is an email authentication, policy, and reporting protocol. It works in two ways:
- It detects unauthorised email activity and provides information about how to handle unauthorised email. For example, the email may be put into the Junk folder.
- It identifies legitimate senders, either emails sent by UWA systems or by UWA approved/verified email services.
DMARC uses the following two technologies to verify emails:
- Sender Policy Framework (SPF) - A protocol which specifies the location/s or systems from where authorised emails for a domain may be sent from.
- DomainKeys Identified Mail (DKIM) - A protocol in which digital signatures are created for your email headers. These are then cryptographically authenticated by recipients’ servers. If the signature is valid, it specifies that the message wasn’t altered during the transmission.
3. What do you need to do?
Individual UWA Email Users
Individual UWA O365 email users do not need to do anything. You can continue to use your UWA email as you normally would.
UWA System Owners
If you are an owner or manage a system or application that sends mass email on behalf of UWA, you will need to follow the below guidelines.
- University IT should be engaged, via an IT Initiative Request or via IT Business Partners, for guidance on setup requirements, including approvals, of any systems that send email on behalf of any University owned or managed domains or sub-domains. Failure to engage University IT when configuring systems to send email may result in emails not being delivered to recipients.
- University emails should only be sent from authorised and/or valid UWA owned or managed domains that have been approved by BMR and authorised by University IT.
- The UWA root domain (@uwa.edu.au) should only be used by a system or applications where prior approval has been provided by BMR and University IT.
Both SPF and DKIM records should be gathered from the email service and applied to the applicable Domain Name System (DNS) record/s where available. In the event both records are not available, or cannot be configured aligning to this Guideline, then one of these records is acceptable, with approval from University IT.
- Under no circumstance can an email service sending outbound email from a UWA owned, or managed domain have neither an SPF or DKIM record.
- The domain name used in the email header ‘From:’ and SMTP MailFrom addresses should match unless approved by University IT.
SPF protocol guidelines:
- The SPF record is to be configured with a fail “-all” to ensure any email sent from a different location to those which have been approved do not pass SPF and DMARC checks.
- Where a domain name is available as a ‘include’ tag for the SPF record, this should be used unless a valid reason is determined by the team responsible for maintaining the DNS record.
- As the SPF protocol has a limit of 10 ‘include’ tags, the team responsible for maintaining the DNS record will advise where this may be breached due to a new email service and agree with relevant parties on actions to address this.
DKIM protocol guidelines:
- The domain name used in the email header ‘From:’ and DKIM ‘d=’ record should match unless approved by University IT.
DMARC protocol guidelines:
- A DMARC record is required for all UWA email domains. This can be achieved through inheritance of the uwa.edu.au domain policy or a specific record for the subdomain as required.
- DMARC records may be published on a subdomain-by-subdomain basis where a different policy is required e.g. to allow monitoring, accommodating testing for a new domain or subdomain.
- Once a domain or subdomain has progressed from monitoring\testing, the DMARC record must, at a minimum, be configured to quarantine emails if they do not pass DMARC.
- The DMARC record at the root domain must publish the location for both aggregate (rua) and forensic (ruf) reports to be sent to. The reports in this mailbox must be accessible by required support staff.
- DMARC reports should be retained for a minimum period of 6 months to support incident investigations.
In the event of any questions relating to this Guideline or the Cyber Security Policy, please contact the University IT Service Desk on ext. 1234 (+61 8 6488 1234) or email [email protected]
5. Additional Resources Australian Cyber Security Centre Guidance