What is happening?
Due to a change made by Google, on the 1 February 2024, organisations that send more than 5,000 messages per
day to email domains hosted or managed by Google must meet new requirements. This has expedited our plans for
the project, hence this high priority communication.
The key one being: Setting up SPF, DKIM, and DMARC email authentication for your domain.
This change has been fully tested, both in the Nexus lab, and in production (since November 2023) for the it.ox.ac.uk domain. The validation protocols are well-proven and are already in use by the majority of Russell Group universities.
Right now, Google sees ox.ac.uk as a single domain. This means that a single college, department, or unit which does not implement all of SPF, DKIM, and DMARC could potentially impact delivery of the entire collegiate University’s email to Google domains.
What are we doing to implement the change?
We are adding a few lines into DNS. We already have DKIM established on it.ox.ac.uk in monitoring mode and results have exceeded expectations.
DKIM is a digital signature that a recipient's email server can use to verify that an email wasn't modified in transit. Since we have no DKIM records right now, adding this can only enhance delivery outcomes, and is therefore a very low-risk activity.
DMARC is a single line in DNS which receiving email servers can look up - it is a request from us for the receiving system to take an action of our choice on messages which fail all of the authentication checks which would be used to prove it came from Oxford.
SPF is another DNS entry for each domain through which receiving email servers can confirm whether an email is being sent from a legitimate server for that domain. SPF records should already be in place for most University email domains.
What do you need to do?
We, the project team, can fully manage this entire process for you on your behalf but only if:
• Your entire unit uses Nexus365 for email
• If this is the case, we only ask you not to change/remove those DNS records.
ITSS for units which do NOT use Nexus365 will have to undertake their own checks to ensure SPF, DKIM, and DMARC are correctly configured and enabled.
The timeframe for this change is dependent on units contacting us who do NOT use Nexus365, but the change must be completed by 1 February 2024 to avoid any disruption to our emails reaching their destinations. Please consult with the project team if you need assistance.
We are looking at solutions to address anything sent via Oxmail, smtp.ox.ac.uk, maillist.ox.ac.uk or DARS (Blackbaud). Other third-party services which send mail from your subdomain may also be affected, but if you have queries regarding this, please contact the project team.
What if I do nothing?
The risk of doing nothing is HIGH: Google may start rejecting email from all ox.ac.uk email subdomains from the 1
February 2024 if these DNS records are not in place.
Right now, Google sees ox.ac.uk as a single domain. This means that a single college, department, or unit which does not implement SPF, DKIM, and DMARC could potentially impact delivery of the entire collegiate University’s email to Google domains.
Across the whole of the collegiate University the sending of more than 5,000 emails per day to Google addresses is easily reached. Furthermore, these values are used to confirm email's authenticity to a recipient. Without these protocols in place, it's far more likely that our email will go into recipients' junk folder or be deleted entirely without even being delivered.
Background
The Email Security & Simplification Project has been working to enhance the authenticity of the University’s outgoing email. The objective is to ensure that more of our sent email arrives in recipients’ inbox folders, being seen as legitimate and genuine, rather than, in some cases, being treated as directly equivalent to spoofed email from malicious senders.