Email authentication for outgoing messages

Last updated: March 29, 2024
As part of our continuing effort to improve email security and reduce the number of malicious messages we receive, the University of Washington will be implementing email authentication for outgoing mail.  The timeline for implementation is short due to emerging email security requirements recently announced by Google and Yahoo. For example, see the Google announcement. Since this announcement, Apple has published similar requirements and enforcement from Google/Yahoo will now happen in April.

What is UW-IT doing to respond?

On February 21, 2024, UW-IT began adding digital signatures to all @uw.edu email that passes through UW-IT managed email infrastructure. This digital signature serves to verify the authenticity of the message data.

What do I need to do?

Starting in April, each email domain and subdomain under the UW umbrella will need to implement DMARC, SPF, and DKIM email authentication to ensure that the email they send is deliverable.

  • DMARC (Domain-based Message Authentication, Reporting and Compliance) is an email authentication system that is designed to detect and prevent email spoofing by blocking certain techniques often used in spam and phishing emails, including emails with forged sender addresses that appear to originate from legitimate organizations. DMARC checks to ensure the sending domain has authorized a message and can be used to reject or quarantine any unauthorized messages received.
  • DKIM (DomainKeys Identified Mail) is an authentication method that uses a digital signature to let the receiver of an email know the message was authorized by the owner of the domain/subdomain and that it hasn’t changed since it was sent.
  • SPF (Sender Policy Framework) is an authentication method that identifies the email servers allowed to send email for a given domain.

The information can help you meet the most urgent requirements:

  1. The preferred choice is to send email with a departmental subdomain as the From address, such as survey@pottery.uw.edu. You will need to set up DMARC, SPF, and DKIM for that domain as required with the Google/Yahoo changes.  Your vendor should be able to help with this and you can use the UW Networks portal to publish the required DNS records.  If you’d like assistance from UW-IT, please send an email to help@uw.edu, with a subject of “DMARC, DKIM and SPF”, the domain you are using to send your email from and any other relevant information.  If you use this option, you’ll need to have email services set up for the domain so that you can receive responses to the messages, such as error messages. UW-IT’s Virtual Email Domain service can help with that if you don’t already have email services available for one of your domains.
  2. To use or continue to use @uw.edu from addresses you may configure or work with your vendor to send the email through the UW SMTP servers. To use UW’s SMTP servers, you would need to create a shared UW NetID and provide the vendor with the username and password.  The server is smtp.uw.edu, port 587, TLS required.
  3. For “bulk” email, such as newsletters or messages to large groups of recipients, you can use UW Marketo to send your messages.

In all cases, make sure that your From address exists, belongs to you, and that you monitor that address to address bounces, unsubscribe requests, and other issues.

Failure to do so could result in your mail being blocked or not delivered.

For technical and policy reasons, we will not add DKIM records for third-party vendors or add their IP addresses to the SPF records for the central email domains @uw.edu and @washington.edu. This policy is subject to change, depending on emerging security requirements.

More about DMARC, SPF, and DKIM

DMARC, SPF, and DKIM all require specific Domain Name System (DNS) records to be published for a given domain/sub-domain.

Additionally, DKIM requires that each message pass through an email server that is capable of attaching the requisite digital signature to each message.

Domain/subdomain owners who do not publish these records may find that email sent to Google, Yahoo and Apple recipients (and other domains to come) will be rejected.

Need help?

If you would like help in configuring email authentication, please send an email to help@uw.edu, with a subject of “DMARC, DKIM and SPF.” Include the domain you are using to send your email from and any other relevant information.

Because the implementation timeline is short, you will need to act quickly to be compliant.

Please understand that our email security policies and requirements will be refined as we navigate these new and emerging requirements, often driven by external forces.