Body
Upcoming Email Security Change
As of June 3rd, 2025, TXST university will change the DMARC record to 'reject'. This will instruct email providers like Google and Yahoo to deny emails that fail SPF and DKIM checks. This is to align with federal standards on email security and help prevent more phishing/scams against our TXST community.
|
What Does This Mean?
If this is a New Request, proceed to the process outlined below.
If you have an Existing Service, Reach out to your email vendor provider and ask them to validate that your service is set up with appropriate DKIM and SPF records. For any changes or new records, please follow the process below.
Third-Party Vendors
TXST University IT allows third party services to send as a subdomain of txstate.edu such as surveys.mydepartment.txstate.edu. As long as your service has been properly assessed by the Information Security Office and is authorized to email on behalf of txstate.edu, you may request the appropriate DNS records (obtained by your vendor) be added by sending an email to itac@txstate.edu with the authorization from ISO and the requested DNS records from your third party vendor.
Domain names at TXST are governed by UPPS 04-01-08.
Glossary of Terms
|
SPF
(Sender Policy Framework)
|
SPF is a list of email servers that are allowed to send emails on behalf of your domain.
Expected format is a text string such as “v=spf1 include:spf.myservice.com -all”
|
|
DKIM
(DomainKeys Identified Mail)
|
DKIM is an email security standard that helps detect whether messages are altered in transit between sending and receiving mail servers.
Expected format is a text string such as “myservice._domainkey.surveys.mydept.txstate.edu. 600 IN TXT "v=DKIM1;k=rsa;p=abcd123 "
|
| DMARC (Domain-based Message Authentication, Reporting, and Conformance) |
DMARC tells other email systems like Gmail or Yahoo what to do when they receive an email that has been tampered with or sent fraudulently. In addition, alignment is a key concept in the introduction of DMARC; it is the requirement that the domain used for either a passing SPF or DKIM result MUST match the domain of the From header in the email message body. |
| Third Level Domain |
A domain name just below txstate.edu
Ex. surveys.txstate.edu
Requires authorization from University Marketing and Information Security via https://gato.its.txst.edu/manage-website/url-request.html
Domain names at TXST are governed by UPPS 04-01-08.
|
| Fourth Level Domain |
A domain name just below an authorized third-level domain.
Ex. surveys.mccoy.txstate.edu
Does not require authorization for choosing the name
|
| Third Party Vendor |
The company or entity that you are working with to send out emails on behalf of TXST. |
IMPORTANT
Emails that fail SPF, DKIM, or DMARC security are the most common reason for emails being sent to users’ junk folders.
|
Why Do They Matter?
SPF
Without SPF, anyone can send fraudulent emails that look like they came from your TXST email address, leading to phishing attacks. SPF protects TXST’s reputation by only allowing official TXST services to send emails on your behalf.
DKIM
DKIM ensures the integrity of your emails. If the signature doesn’t match, it's a red flag. This prevents attackers from altering your messages in transit and helps recipients trust the authenticity of your emails.
DMARC
DMARC ties SPF and DKIM together and adds an extra layer. It instructs the recipient's server on what to do if SPF or DKIM fails. This prevents malicious actors from abusing your domain for phishing, and it provides reporting so you can monitor the health of your email ecosystem. It also provides a mechanism for alignment, to ensure that people aren’t pretending to be your email domain, even though they’ve passed their own DKIM and SPF checks.
Requesting Third Party Email Access
- Authorization
- Service must be assessed by the Information Security Office
- Domain Selection
- Choose a relevant third level or fourth level domain.
- Third-Level domains require additional authorization
- Send SPF and DKIM records to itac@txstate.edu including the domain you wish to add them to, along with any authorization you've received.
- These records will be provided by your third-party vendor
Common Failures and Solutions
SPF Failures:
- Cause: Sending emails from unauthorized servers.
- Solution: Update your SPF record to include all legitimate email servers.
DKIM Failures:
- Cause: Key mismatch or tampering.
- Solution: Ensure your DKIM key is correctly configured and monitor for any changes.
DMARC Alignment Failures:
- Cause: SPF or DKIM domains don’t match the “From” address.
- Example:
- Return-Path: noreply@mailservice.com
- SPF record is present for mailservice.com and passes check.
- DKIM: Key present and validated for mailservice.com
- From: noreply@mydepartment.txstate.edu
- This example shows that though mailservice.com passed SPF and DKIM, they were pretending to be a txstate.edu email address. Since txstate.edu wasn’t present in the return-path or DKIM key, alignment fails.
- Solution: Align your SPF, DKIM, and "From" address.