Pitt Digital protects the pitt.edu email domain with DMARC Email Validation — an authentication standard that confirms a message claiming to come from a Pitt address actually originated from an authorized Pitt sender. Messages that fail DMARC validation are quarantined to keep spoofed phishing out of inboxes. This article explains how DMARC works at Pitt, why some legitimate messages can be quarantined, and what departmental email senders and individual users need to know.
How Pitt Uses DMARC
DMARC — Domain-based Message Authentication, Reporting, and Conformance — is an industry-standard email authentication method that lets a domain owner publish a policy stating which servers are authorized to send mail on its behalf, and what receiving systems should do with messages that fail authentication. Pitt's policy authorizes a defined set of sending services (Microsoft 365, registered third-party broadcast platforms, and a few specific infrastructure systems) and instructs receivers to quarantine anything else claiming to be from pitt.edu.
DMARC validation protects the University community in two complementary ways:
- Other organizations enforce Pitt's DMARC policy. When an attacker spoofs a
pitt.edu address to send phishing to a Gmail, UPMC, or external recipient, that organization's mail server checks Pitt's DMARC policy and rejects or quarantines the message. The spoofed phishing doesn't reach its target.
- Pitt enforces other organizations' DMARC policies. When a message arrives at Pitt claiming to be from a domain that publishes a strict DMARC policy, Pitt's mail infrastructure verifies the message and quarantines it if validation fails. Spoofed messages impersonating banks, vendors, federal agencies, or other external senders do not land in inboxes.
What DMARC does not quarantine.
DMARC validation does not affect messages sent from one
@pitt.edu address to another
@pitt.edu address — those messages are signed and delivered normally inside Pitt's tenant. DMARC also does not quarantine Pitt mail that is forwarded outward to a third-party provider like Gmail or UPMC; the impact of that scenario is on the
receiving side and is covered in
Pitt Email and Calendar (Outlook).
When a Message Gets Quarantined for DMARC
If a message addressed to you fails DMARC validation, it is held in your personal quarantine in the Microsoft Defender portal. You will receive a periodic notification message in your Pitt inbox listing recently quarantined items, with options to review, release, or block the sender. The notification comes from quarantine@messaging.microsoft.com.
To review your quarantine at any time without waiting for a notification, go directly to security.microsoft.com/quarantine or open the Spam and Virus Filtering launcher on myPitt. For the full procedure — release actions, what's restricted, and the safe-handling rules for released messages — see Managing Spam and Quarantine (Exchange Online Protection).
Read released messages with the same caution you'd give any external mail.
A DMARC failure is a strong signal that a message is not from who it claims to be. The most common cause of DMARC quarantine is phishing or impersonation, not a legitimate sender misconfiguring their mail server. Verify the sender through a known channel before acting on anything in a released message.
Why Legitimate Messages Can Be Quarantined
The vast majority of DMARC-quarantined messages are phishing or spoofing attempts. Legitimate messages are quarantined only when they fall into one of a few specific scenarios — almost always a misconfiguration on the sending side, not a Pitt error.
Mailing List (Listserv) Services Not Configured for DMARC
Some external mailing-list services rewrite the From address in ways that break DMARC alignment. Messages from those lists arriving at Pitt may be quarantined. The University's Mailman Mailing List service is configured to pass DMARC and is not affected.
If you receive list mail from an external service that is consistently quarantined, you can add the list's sending address to your personal Safe Senders list to bypass DMARC validation for that sender. See Microsoft's documentation on adding recipients to the Safe Senders list in Outlook.
Multi-Hop Forwarding
Mail forwarded through more than one provider before reaching Pitt can fail DMARC alignment because the message headers no longer match the original sender's domain. This scenario is uncommon but trips up users with appointments at multiple organizations.
Example: Jane Doe's multi-hop forwarding chain
Jane has a faculty appointment at Pitt and another at a partner organization. She maintains three email addresses:
- her Pitt address,
jdoe99@pitt.edu
- her partner-organization address,
jdoe99@xyz.org
- a personal Gmail address,
jdoe99@gmail.com
Jane wants to read all of her mail in one place — her Pitt inbox — so she sets up the following forwarding chain:
xyz.org → automatically forwards to gmail.comgmail.com → automatically forwards to pitt.edu
Both Pitt and xyz.org enforce DMARC. When a message originally sent to jdoe99@xyz.org is forwarded through Gmail to Pitt, the headers indicate it was sent from gmail.com — but the original From domain is still xyz.org. The two don't align, Pitt's DMARC validator interprets the misalignment as a spoofing attempt, and the message is quarantined.
The fix in scenarios like this one is to remove an intermediate hop (forward directly from xyz.org to pitt.edu) or to read mail at each organization in its own mailbox. Multi-hop forwarding chains are fragile by design and routinely produce delivery failures even setting DMARC aside.
Sending Mass Email on Behalf of Pitt
Many University departments send email to large audiences — newsletters, announcements, event communications, recruiting messages. Pitt supports three paths for doing this: Read Green, the internal bulk-mail service designed for routine institutional communications to faculty and staff; Campaign Monitor, the enterprise broadcast platform that supports any audience and full campaign features; and a small number of additional registered platforms reserved for specialized system integrations. The choice between Read Green and Campaign Monitor is driven by use case rather than audience — both can deliver to internal Pitt recipients.
Choosing How to Send
Pitt offers three paths for mass email. Read Green and Campaign Monitor are both supported enterprise options — choose between them based on use case. Other registered platforms are reserved for cases where a department's existing system integrates with its own broadcast tool.
|
✓ FOR ROUTINE FACULTY/STAFF BULK MAIL
Read Green
Read Green is the University's internal bulk-mail service for faculty and staff, operated by University Mailing Services. It uses Pitt's HR directory data to deliver to predefined audiences (all faculty and staff, or subsets by campus, department, employee classification, and similar criteria) — no list management required. Use Read Green when your mailing fits its predefined audience model and you don't need campaign features like templates, scheduled sends, or analytics. Mail originates inside Pitt's tenant and passes DMARC validation automatically. To learn more or to request a mailing, see Read Green.
|
|
✓ PITT'S ENTERPRISE BROADCAST PLATFORM
Campaign Monitor
Campaign Monitor is Pitt's enterprise broadcast email service, supported by Pitt Digital and pre-configured to pass DMARC validation. It supports any audience — internal Pitt recipients, external audiences (alumni, donors, prospective students, event registrants, external partners), or mixed lists — and includes the campaign-management features Read Green doesn't provide: templates, segmentation, scheduled sends, click tracking, analytics, A/B testing. Use Campaign Monitor when you need that flexibility, when your audience extends beyond what Read Green's predefined groups cover, or when you're running a campaign rather than a one-off bulk mailing. To request access, see the Campaign Monitor service page.
|
|
FOR SPECIALIZED INTEGRATIONS ONLY
Other registered broadcast platforms
Some University systems integrate with their own broadcast email platforms — CampusLogic StudentForms for financial aid communications, EAB Navigate for student success outreach, Salesforce for CRM-driven email, and similar specialized cases. Use these only when their integration with an existing system requires them, not as a general substitute for Read Green or Campaign Monitor. Each must be registered with Pitt Digital before sending. Contact the Help Desk before initiating a new integration.
|
About deliverability across the three paths.
Read Green mail originates inside Pitt's Microsoft 365 tenant and is not routed through external sending infrastructure, so it bypasses the sender-reputation scoring that recipient spam filters apply to bulk mail from third-party platforms. Campaign Monitor and other registered platforms send through their own infrastructure; DMARC registration ensures the mail passes Pitt's authentication, but recipient organizations' filters still evaluate sender reputation independently. Pitt Digital monitors Campaign Monitor's sending reputation as part of supporting it as the enterprise service. For specialized platforms in the third tier, deliverability monitoring is the department's responsibility.
Use Read Green or Campaign Monitor when possible — both are pre-configured and supported. If your department has a genuine need for a different broadcast platform, that platform must be registered with Pitt Digital before sending — mail from unregistered platforms will fail DMARC validation at receiving organizations and may be quarantined or dropped, including by Gmail, Yahoo, and federal agencies. Contact the Help Desk to register a new platform or to discontinue one.
If Read Green and Campaign Monitor Don't Fit Your Need
Notify the Technology Help Desk in any of the following circumstances:
- You are beginning work with a new third-party broadcast email platform that will send mail on behalf of the University. Pitt Digital will configure the platform as an authorized sender.
- You are discontinuing a relationship with a broadcast platform. Pitt Digital will remove it as an authorized sender to reduce the attack surface.
- You suspect a platform you are currently using is not yet registered (mail you sent from it is being quarantined or marked as suspicious at recipients).
Specialized Broadcast Email Platforms
Campaign Monitor is Pitt's enterprise broadcast email service and the recommended choice for most external mass-email needs (see above). The following are examples of additional platforms that have been registered for specific departmental use cases — typically because they integrate with another business system the department already uses. This list is illustrative, not authoritative — if your department uses a platform not listed here, that does not mean it is unregistered, and inclusion on this list does not guarantee current registration. Contact the Help Desk to confirm status for any specific platform.
Examples of additional registered broadcast platforms used by Pitt departments for specialized integrations
| Amazon SES |
CampusLogic StudentForms |
Constant Contact |
| DigitalOcean |
EAB Navigate |
Emma |
| ICORS Mailing List |
iModules Encompass |
Jaggaer |
| L-Soft EASE |
Mailchimp |
MBS |
| Oracle Taleo |
Paciolan |
Salesforce |
| SendGrid |
|
|
Spoofing Pitt addresses from a marketing tool fails DMARC.
If a Pitt unit configures a marketing tool (Mailchimp, Constant Contact, or similar) to send as a pitt.edu address without that platform being registered with Pitt Digital, the messages will fail DMARC validation at receivers and may be quarantined or refused — by Gmail, Yahoo, federal agencies, and increasingly by all major mail providers. The simplest fix is to use one of Pitt's supported broadcast services — Read Green for routine faculty/staff communications, or Campaign Monitor for campaigns needing custom audiences or richer features. Both are already configured to send authenticated mail on behalf of pitt.edu addresses. If a specialized platform is genuinely required, register it through the Help Desk before launching a campaign.
Third-Party Email Applications (for Individuals)
Per the Enterprise Security Controls Policy, University departments and units are required to use the Pitt Email (Outlook) service. Independent or alternative email services for departmental business are not permitted.
Individual users may use a third-party mail client (Thunderbird, Apple Mail, and similar) to access their Pitt mailbox, provided the client connects to Microsoft Exchange using Modern Authentication (OAuth 2.0 token-based authentication). Legacy clients that use basic authentication are not supported and will fail to sign in.
Pitt Digital still recommends the official Microsoft Outlook clients (desktop, web, and mobile) for individual users — those clients receive feature updates and security patches synchronized with the rest of Microsoft 365 and integrate cleanly with the protections described in Email Protection: Defender for Office 365.
Forwarding and DMARC for Individual Users
Individual users who auto-forward their Pitt email to a personal account (Gmail, Yahoo, iCloud, and so on) are not catching their own mail with Pitt's DMARC validator — Pitt has already accepted the message before it forwards out. But the destination provider runs its own DMARC validation, and may refuse or quarantine forwarded messages from senders with strict policies. The practical result is that some legitimate mail to your Pitt address — especially from federal agencies — may silently fail to arrive at your forwarded inbox.
For the full discussion of why Pitt Digital recommends against forwarding Pitt mail to third-party providers, see Pitt Email and Calendar (Outlook) and Understanding Email Forwarding.
Learn More About DMARC
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Broadcast email platform registration, suspected delivery issues, quarantined messages |
Pitt Digital Security Via Help Desk
Suspected spoofing of pitt.edu, DMARC policy questions |