Early this year, UNC groups and employees were scurrying to comply with new anti-spam rules and protect the University’s email reputation. For employees who send a lot of emails or use third-party platforms and the information technology staffers who support them, it was a few weeks of scrambling.
But for Matt Rice of ITS Systems Administration, the focused effort in January and February to protect the University was the culmination of four years of work. Behind the scenes, he toiled on tedious, repetitive steps, and during this last push, he supported and collaborated with a couple hundred people and worked 12-14 hours a day. Rice’s dedication and expertise were instrumental in safeguarding the University’s email deliverability.
“There is nothing glamorous about email,” said Richard Hill, who leads the ITS Systems Administration team and oversaw the email deliverability efforts. “It’s not that the work is hard. It’s tedious. There’s lots of room for error. And you have to be very thorough and make sure everything’s 100% correct.”
The challenge
Everything had to be in place by February 1. That’s when Google was going to begin implementing major changes to reduce spam, combining technical requirements like Domain-based Message Authentication, Reporting and Conformance (DMARC), and sender behaviors like easy unsubscribe options. Yahoo had announced it would do the same some time in the first quarter. While most people are tired of spam, these changes have far-reaching effects, especially for large organizations like UNC. A few bad mailings could result in Google and Yahoo blocking every email from UNC, not just bulk mailings. Email deliverability and safeguarding it are relatively thankless work, and when that work is done properly, it is rather transparent. But when it’s done improperly, there’s the potential for a significant impact on campus.
The response and strategy
Behind the scenes, Rice — with support from Hill and collaborators — worked for months and months to untangle decades of email settings at UNC.
“I started the effort back in 2020,” Rice said. He started enabling the mail identity tools Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC, and activating them for listserv, for starters. DMARC checks SPF and DKIM to authenticate and validate the email, and then a DMARC score determines whether the email is rejected or goes through.
Rice reviewed SPF, DKIM and DMARC settings for everything on campus. In 2022, Rice began creating DMARC records for new subdomains. Such changes limit the scope of potential damage by encouraging — or requiring — senders to use subdomains instead of top-level domains. If one UNC subdomain (like @its.unc.edu) trips the threshold, only messages from that subdomain are rejected. Messages from the @unc.edu domain or other UNC subdomains are not affected.
The implementation
In January, Rice was receiving 15-20 requests each day for his help. About 190 mail domains still needed DMARC set up to further protect the University’s email reputation.
“The 189 mail domains that we had out there didn’t have all this stuff set up, so I took hold of it and started creating new ones the right way,” Rice said.
“Every department that sends email in some way, shape or form, we had to interact with,” he said. “I interacted with about 200 people or more during the short window we had in January. When I interacted with them, it wasn’t a one or two conversation thing.”
During the first three months of this year, Rice stopped all his other work to focus on DMARC.
Such work requires attention to detail. Having too many hands in the effort could have increased the potential for error, Hill said, “which is why we decided to just go with one person who knew it, designed and architected it, and did it.”
Rice accomplished this work with support. Within ITS, several groups and individuals aided the effort, including Brett Vasu and Adam Clark of the ITS Service Desk’s Tier 2, Assistant Vice Chancellor Kate Hash, ITS Communications, and Will Whitaker of ITS Networking. Departmental IT professionals also partnered with ITS by helping their own users, including Ben Aycock and Keith Gerarden of School of Medicine IT, Rob Noel of OASIS, and Bryan Andregg of the Gillings School of Global Public Health.
The results
The efforts have paid off.
“I don’t even want to say this part out loud, but we haven’t gotten blocked from any major carrier yet, so I’m going to call that a win,” Rice said. “I’m going to say we’re 75% of the way there. What we want to eventually get to is for every domain to have a reject policy so everything’s 100% secure.”
Now ITS Systems Administration has a long-term process for using the latest mail identity tools to protect Carolina’s email reputation. Next, Rice is researching a process to provide DMARC aggregate reporting to departmental IT clients to enable those clients to troubleshoot problems. In addition, Hill and Rice will explore sharing knowledge with IT professionals across the University, whether through help documentation or other ways, on proper mail identity solutions.