For many colleges and universities, the issue isn’t a lack of concern, but their inexperience with setting up email authentication. Here are five recommendations for getting started.
1. Implement both SPF and DKIM for all domains. If DKIM is further out on your roadmap, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all or ?all.
2. Publish a DMARC record for all domains, whether you send mail from them or not. Deploying a DMARC none policy (p=none) is a perfectly fine starting point. It’s a great step to get used to the DMARC data and begin the process of evaluating the length and complexity of your DMARC journey.
3. Find a DMARC software solution to help you quickly interpret the large amounts of DMARC data you will receive and guide you through the journey of getting to a reject policy for your domains responsibly.
5 recommendations for setting up email authentication
4. Hire a consultant if you do not have email-authentication expertise or the resources to manage the process of getting to reject for your domains.
5. Publish a DMARC with reject policy for non-sending and defensively registered domains. It is a quick win to start protecting your brand by locking down these assets that should never be sending mail.
We hope that higher ed institutions across the country will step up to the challenge of protecting their students, faculty, and alumni. Perhaps the pressure on U.S. federal agencies to deploy DMARC and achieve a reject policy will be a catalyst for positive change in email authentication nationwide, and phishing will eventually become a thing of the past.