Office 365 - Steps to make UW-Madison email DMARC compliant

The purpose of this document is to recommend ways to make email messages DMARC compliant and to explain how and why messages are rewritten for DMARC compliance

How to configure a WiscList list to support DMARC

Note: The WiscList team plans to modify all lists to support DMARC.

Your list needs to rewrite the From header of messages so that they use the same domain as the list server (@lists.wisc.edu). If you do not do this, receiving systems will quarantine or reject messages sent through the list for any senders who have DMARC-protected domains.

In the WiscList admin site, go to Utilities → List Settings → Email Submitted Content → Header Rewrites

Use the following settings to ensure the From header uses the following format: "’Bucky Badger’ via listname"

  • Paste the following exact text in From:

    "’%%author.nameemail%%’ via %%list.name%%" <%%email.list%%>

Change the Reply-to option to “author” so that Reply-all can be used by recipients to reply back to the list as well as the original message’s author.

  • Paste the following in Reply-to:

    author

Does WiscList support DKIM for the @lists.wisc.edu domain?

Messages sent via WiscList will pass SPF for @lists.wisc.edu. DMARC will pass as a result. Ensure that the From header of messages sent via your list use the @lists.wisc.edu domain so that DMARC alignment occurs.

Once WiscList starts DKIM signing messages it means that messages sent via WiscList, with the From header domain matching @lists.wisc.edu, will help ensure DMARC passes in the event that SPF fails (typically this occurs when messages are forwarded).

How to configure a Google Group to support DMARC

Google Groups will automatically rewrite the From header to the following format if the sender’s domain publishes a DMARC record with a quarantine or reject policy:

"’Bucky Badger’ via listname"

Does UW-Madison Google Groups support DKIM?

Messages sent via UW-Madison Google Groups will pass SPF for @g-groups.wisc.edu. DMARC will pass as a result.

Once UW-Madison Google Groups starts DKIM signing messages it means that messages sent via Google Groups, with the From header domain matching @g-groups.wisc.edu, will help ensure DMARC passes in the event that SPF fails (typically this occurs when messages are forwarded).

Instructions for administrators of other lists (e.g., mailman)

  1. Configure the list to rewrite the From header to use the list server’s domain " ’Bucky Badger’ via listname" < listname@listdomain > .
  2. Use DKIM to sign mail using a selector within the list server’s domain.
  3. Ensure the list server’s domain is used in the envelope-from address of the SMTP transaction and that the list server IP addresses are included in the SPF record of the domain.

Inbound messages tagged with "[CAUTION: External]" in the Subject

In order to help people identify inbound messages that don't pass DMARC people will see the text "[CAUTION: External]" added to the Subject of inbound messages.  This feature is being implemented for messages that use "@wisc.edu" in the From header of messages and is being rolled out to campus during the spring of 2018.  Implementation of this feature for other domains is still TBD.





Keywords:office 365 uw madison wisclist dmarc list server domain email header quarantine reject reply-to dkim spf google groups administrators smtp IP address caution external "[CAUTION: External]" tagging subject   Doc ID:81107
Owner:Christina G.Group:Office 365
Created:2018-03-22 16:26 CDTUpdated:2018-04-06 14:29 CDT
Sites:DoIT Help Desk, DoIT Tech Store, Office 365
Feedback:  2   0