Email Spoofing Counter Measures

Connect offers the following information to help in spoofing prevention.

Connect customers using @department.ucsb.edu style addressing may want to have a Sender Policy Framework (SPF) record created for their departmental domains in the Domain Name System. Please see: http://www.openspf.org/ and the Wikipedia Sender Policy Framework page for further information about SPF.

Creating an SPF record REQUIRES the department to understand ALL possible sources of email that would have an envelope from (return path) with the @department.ucsb.edu style address. These may include, but are not limited to:

* Department servers or devices (printers, copiers, etc) that are sending email outside of Connect systems
* Outsourced email distribution lists
* Client software, including web applications, not sending email using Google/Connect mail servers

Unfortunately, because of their nature, identification of these sources is not something Connect support is able to help with. Any non-Connect sources will need to be included in the departmental SPF record, which should then include the published record for connect with "include:_spf.connect.ucsb.edu”.

An example (don’t use this!) departmental SPF record might look like this:

"v=spf1 a:www.department.ucsb.edu a:smtp.ucsb.edu include:e2ma.net include:_spf.connect.ucsb.edu ~all"

This example includes a department web server, the ucsb.edu smtp server and the include for a third party mailing service. Failure to include non-Connect email sources will result in those messages being treated as spam by some systems and reduce the chances of their successful delivery.

Additional Spoofing Counter Measures-

DomainKeys Identified Mail (DKIM) is a method for ensuring message integrity and can be used in combination with DMARC (see below) as an anti-spoofing measure. Use of comprehensive DKIM signing in Connect will be investigated in the future.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a way of setting a hard policy on classification of email based on DKIM and SPF results. Connect can not currently recommend the use of DMARC because of the inconsistent implementations of DKIM and SPF and the resulting high probability of loss of valid mail.