You know that email you once received from a friend or colleague that clearly wasn’t sent by him or her? More than 90 percent of all cyberattacks begin with this kind of phishing email. Unfortunately, higher education is no stranger to phishing. In March 2017, Coastal Carolina University revealed it lost more than $1M to a phishing scam. The attackers succeeded in the theft by masquerading as a company with a contractual relationship with the university. In an official-looking email, the phony sender requested changes to the university’s bank information. An employee complied, and the rest is history.

Phishing and spoofing attacks against students and staff are most likely when these three items are not properly in place:

  • a Sender Policy Framework (SPF), which is an email-validation system that detects spoofing attempts. (Spoofing is when a third party disguises itself as a particular sender and uses a counterfeit email address.)
  • DomainKeys Identified Mail (DKIM) and/or Domain-based Message Authentication: DKIM uses an encrypted token pair to validate message integrity during sending and delivery.
  • a Reporting and Conformance (DMARC) policy, which is considered the industry standard for email policy and reporting tools that help to prevent such attacks.

250ok recently analyzed the 3,164 top-level .edu domains controlled by accredited U.S. colleges and universities. The scope of this study focused on DMARC adoption and found that almost 90 percent (3,211) of top-level .edu domains in the U.S. lack the most basic DMARC policy, which leaves students, parents, alumni, and employees at risk.

5 recommendations for setting up email authentication

It is worth noting a meaningful number of institutions likely use a subdomain for some of their messaging (e.g., “college.edu” is a root domain; “mail.college.edu” is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomain as they will automatically inherit the DMARC policy of the root domain.

In 2017, the U.S. Department of Homeland Security announced Binding Operational Directive 18-01, requiring all U.S. federal agencies to achieve a reject policy on their .gov domains by October 2018. Currently, only .4 percent of top-level .edu domains in the U.S. have implemented a reject policy—the gold standard for DMARC.

About the Author:

Matthew Vernhout is the director of privacy at 250ok and is a certified international privacy professional in Canada with nearly two decades of experience in email marketing. He actively shares his expertise on industry trends, serving as director at large of the Coalition Against Unsolicited Commercial Email, chair of the Email Experience Council’s advocacy subcommittee, and senior administrator of the Email Marketing Gurus group. He speaks frequently at email marketing and technology conferences and maintains his celebrated blog, EmailKarma.net.


Add your opinion to the discussion.