Overview of DMARC Email Security and Understanding Quarantine Enforcement

Summary

DMARC is a global industry email and internet security initiative.

Body

DMARC Email Validation

 

Increasing incidents of phishing attacks, email spoofing, and compromised email accounts continue to threaten the security of the University’s computing environment.


Trusted email communication among our community, partners, and vendors is an important part of how we function as a higher education institution. To that end, Pitt Information Technology's Domain-based Message Authentication Reporting and Compliance (DMARC) Email Validation System ensures that only legitimate outbound email messages from University email domains are delivered to recipients.


DMARC Email Validation helps to prevent attackers from “spoofing,” or imitating, the From address on email messages to look as though it has been sent by a legitimate source. DMARC protects the entire University community by minimizing phishing attacks and reducing the number of compromised accounts. 

 

DMARC Email Validation Enforcement Begins July 1

 

To protect you from harmful email, messages that fail DMARC validation will be quarantined in your Spam and Virus Message Center beginning July 1. You will receive an email notification within twenty-four hours if a message is quarantined.  

 

Preparations for DMARC Email Validation Began in 2023

 

Pitt IT first communicated the adoption of DMARC Email Validation in April 2023. At that time, the DMARC Email Validation system began operating in a “report-only” configuration. This meant that all email messages sent on behalf of pitt.edu domains that failed DMARC were still delivered.

The “report-only” phase allowed time for Pitt IT to work closely with University departments to identify and configure authorized sending services — including third-party broadcast email platforms like Campaign Monitor and Mailchimp — to ensure they pass DMARC Email Validation. If your unit uses a broadcast email platform to send messages on behalf of the University, please see Third-Party Broadcast Email Platforms below for important details.

As of March 2024, 98.6% of all emails sent using @pitt.edu email addresses pass DMARC Email Validation, which exceeds industry standards for DMARC enforcement readiness. The University is now ready to enforce DMARC Email Validation and quarantine messages that fail validation.

Keep in mind that DMARC does not quarantine legitimate messages sent from one individual’s @pitt.edu address to another @pitt.edu address. It also does not quarantine Pitt email that is forwarded to a third-party email provider like Gmail or UPMC. 

 

What To Do If a Message Is Quarantined

 

You will be notified periodically via email if messages are being held in your Spam and Virus Message Center. You can visit your Message Center to review quarantined messages and deliver any that may be legitimate.

Quarantine notifications are delivered from the following Microsoft email address: quarantine@messaging.microsoft.com. A quarantine notification looks similar to the following screenshot:

Quarantine Notification Example

If a legitimate messages is quarantined, you can also add the sender to your Safe Senders list to bypass DMARC Email Validation and ensure messages from that sender are delivered in the future.

 

We Are Here To Help

 

If you have any questions, or if you experience email delivery issues that you think may be related to the enforcement of the DMARC Email Validation System, please contact the Technology Help Desk so that we can assist you.  

 

Why Legitimate Messages Can Be Quarantined

It is rare for legitimate messages to be quarantined by DMARC Email Validation. Most quarantined messages are phishing scams. Legitimate messages are typically quarantined only if they fall into one of two scenarios.   

Messages from a Mailing List (Listserve) Service

Some Mailing List services are not set up to comply with DMARC. Messages sent from these Mailing Lists to a Pitt email address may be quarantined. The University’s Mailman Mailing List service has been configured to pass DMARC.

Messages auto-forwarded to a Pitt email address

If you automatically forward email from another email address (for example, Gmail or UPMC) to your Pitt email address, some forwarded messages may be quarantined. A forwarded message will be quarantined if the original message was sent from an organization that also enforces DMARC Email Validation.

For example, let’s take the following scenario:

  • Jane Doe, a Pitt faculty member, has appointments at multiple organizations.
  • Jane has a Pitt email address (jdoe99@pitt.edu), an email address at another organization (jdoe99@xyz.org), and a personal Gmail address (jdoe99@gmail.com).
  • Jane prefers to read all of her email in a single location: her Pitt email address.
  • Jane automatically forwards all email received at jdoe99@xyz.org to her Gmail address. Jane then automatically forwards all email received at her Gmail address to her Pitt email address.
  • Both Pitt and Jane’s other organization (jdoe99@xyz.org) enforce DMARC Email Validation.  

In this case, an original message received at jdoe99@xyz.org may be quarantined when it is forwarded to Gmail and then forwarded again to Pitt. When the message is received by Pitt, the email message headers will indicate that the message came from jdoe99@gmail.com, but the original message came from jdoe99@xyz.org. Since the two sending addresses in the message headers do not align, it is interpreted as a spoofing attempt and the message will fail DMARC validation.

 

Third-Party Broadcast Email Platforms

Many departments utilize third-party services like Campaign Monitor or Mailchimp to send email on behalf of the University. Pitt IT has worked diligently with departments to identify these services and configure them to pass DMARC validation.

If your department uses a broadcast email platform (see list below) that has not yet been set up as an authorized sending service, please contact the Technology Help Desk so that it can be configured.

In addition, please contact the Technology Help Desk whenever your department: 

  • Begins working with a new third-party broadcast email platform, so that Pitt IT can set up that platform as an an authorized sending service.
  • Discontinues a relationship with a third-party broadcast email platform, so that Pitt IT can remove that platform as an an authorized sending service.

Examples of Third-Party Broadcast Email Platforms

Following is a list of third-party broadcast email platforms who may provide email sending services on behalf of the University:

  • Amazon SES
  • Campaign Monitor
  • CampusLogic StudentForms
  • Constant Contact
  • DigitalOcean
  • EAB Navigate
  • Emma
  • ICORS Mailing List
  • iModules Encompass
  • Jaggaer
  • L-Soft EASE
  • Mailchimp
  • MBS
  • Oracle Taleo
  • Paciolan
  • Salesforce
  • SendGrid

 

Third-Party Email Applications

Per the Enterprise Security Controls Policy, Departments and University units are required to use the Pitt Email (Outlook) service. Independent email services are not permitted.

Individual users do have the ability however to use an third party mail client, such as the ones listed by PC Magazine. These are legit clients and must be configured to connect to Microsoft Exchange using Modern Authentication (Active Directory Authentication Library (ADAL) and OAuth 2.0 token-based authentication). They connect to Microsoft Exchange and send email through Exchange.

It is still recommended to individual users to use the Outlook clients.

Details

Details

Article ID: 633
Created
Mon 1/29/24 1:40 PM
Modified
Tue 10/29/24 8:01 AM