Office 365 - Steps to make UW-Madison email DMARC compliant
The purpose of this document is to recommend ways to make email messages DMARC compliant and to explain how and why messages are rewritten for DMARC compliance
- How to configure a WiscList list to support DMARC for the @lists.wisc.edu domain.
- UW-Madison Google Groups supports DMARC for the @g-groups.wisc.edu domain.
- Instructions for administrators of other lists (e.g., mailman)
How to configure a WiscList list to support DMARC for the @lists.wisc.edu domain
Note: The WiscList team plans to modify all lists to support DMARC.
Your list needs to rewrite the From header of messages so that they use the same domain as the list server (@lists.wisc.edu). If you do not do this, receiving systems will quarantine or reject messages sent through the list for any senders who have DMARC-protected domains.
In the WiscList admin site, go to Utilities → List Settings → Email Submitted Content → Header Rewrites
Use the following settings to ensure the From header uses the following format:
"'Bucky Badger' via listname"
- Paste the following exact text in From:
"'%%merge inmail_.hdrfrom_%%' via %%list.name%%" <%%email.list%%>
"'%%author.nameemail%%' via %%list.name%%" <%%email.list%%>
Change the Reply-to option to “author” so that Reply-all can be used by recipients to reply back to the list as well as the original message’s author.
- Paste the following in Reply-to:
Messages sent via WiscList will pass SPF for @lists.wisc.edu. DMARC will pass as a result. Ensure that the From header of messages sent via your list use the @lists.wisc.edu domain so that DMARC alignment occurs.
Once WiscList starts DKIM signing messages it means that messages sent via WiscList, with the From header domain matching @lists.wisc.edu, will help ensure DMARC passes in the event that SPF fails (typically this occurs when messages are forwarded).
UW-Madison Google Groups supports DMARC for the @g-groups.wisc.edu domain
Google Groups will automatically rewrite the From header to the following format if the sender’s domain publishes a DMARC record with a quarantine or reject policy:
"’Bucky Badger’ via listname"
Messages sent via UW-Madison Google Groups will pass SPF for @g-groups.wisc.edu, and the messages will be signed with a DKIM selector in the g-groups.wisc.edu domain. DMARC will pass as a result.
Instructions for administrators of other lists (e.g., mailman)
- Configure the list to rewrite the From header to use the list server’s domain " ’Bucky Badger’ via listname" < listname@listdomain > .
- Use DKIM to sign mail using a selector within the list server’s domain.
- Ensure the list server’s domain is used in the envelope-from address of the SMTP transaction and that the list server IP addresses are included in the SPF record of the domain.