Skip to main content
 

Last month, ITS tightened email security settings for campus and as a result, you’ll see less spam and enjoy a more secure inbox.

On October 16, ITS changed settings so that emails that fail certain verification requirements will be rejected. Rejected emails never reach your inbox or even your junk folder.

Email is an essential part of campus communications, so less spam will make daily work more pleasant and inboxes less cluttered. And because phishing is involved in 80% of data breaches, preventing bad messages from reaching your inbox is a huge security win.

A cartoon woman holds a giant envelope and a check box

Tightening requirements

Earlier this year, two major email providers, Gmail and Yahoo, strengthened sender requirements to fight spam. To conform with these new requirements, ITS began helping campus senders configure Domain-based Message Authentication, Reporting & Conformance (DMARC).

DMARC works alongside other email verification tools, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to verify that an email truly comes from where it claims to come from. SPF checks the sender’s IP address, while DKIM verifies the email’s content. Those tools plus a DMARC score determine whether an email is rejected or goes through.

ITS did much of this configuration work in 2021 as a project to enable SPF and DKIM. Most campus senders were able to enable DMARC by February 1, 2024, the deadline from Gmail and Yahoo.

Set to reject

ITS implemented a final DMARC setting change for all campus-managed email domains on October 16. The change adjusts DMARC settings for unc.edu from “none” to “reject,” meaning emails that fail either SPF, DKIM or both will not be delivered. This extra layer of security helps ensure that only legitimate emails make it to your inbox.

An open envelope icon, revealing a trash can

Campus senders who enabled DMARC earlier this year were ready for the switch and ITS worked with remaining campus senders to configure domains to ensure deliverability of their emails.

Senders who did not configure their domains properly will receive notices that their legitimate emails are not being delivered.

These stricter DMARC settings protect campus from phishing and mean less spam and more security for your inbox.

Reporting spam protects you and the University

These stronger settings will result in less spam, not necessarily no spam or phishing.

One reason you may still see phishing attempts in your inbox is because of compromised accounts. A compromised account is a real person’s account that has been taken over, or compromised, by phishers. When an account is compromised, the phishers can access the account and do anything an account owner could do — including sending email.

Phishers love sending emails from compromised accounts for two reasons. First, because recipients are more likely to click links or download attachments from people inside their organization. And second, emails from real people are less likely to get trapped by spam filters. You need to always be careful, even if you know and trust the sender.

A doodle drawing of a person holding a giant envelope with a phishing hook in it

When you know — or strongly suspect — an email is phishing, report the message in Outlook. You can find the report button in your Outlook toolbar or under a three dots menu. Reporting a message as phishing alerts Microsoft to review and potentially remove the email from other inboxes. Removing the email before they see it can help keep other Tar Heels safe.

 

Comments are closed.