Standard: ISO / Email

Scope

  • All email messages sent and received by Miami's email systems or on behalf of the University

Rationale

  • The following standard provides requirements necessary to help protect Miami and the miamioh.edu domain's reputation as an email sender as well as protecting the recipients and their devices of messages sent from miamioh.edu addresses from malicious phishing, malware, and other email attacks

 

Definitions

  • DomainKeys Identified Mail (DKIM) - an email authentication method which applies a digital signature, linked to a domain name, to each sent message
  • Sender Policy Framework (SPF) - an email authentication method which defines authorized senders for a domain via IP addresses or DNS lookups listed in an SPF DNS record
  • Domain-based Message Authentication, Reporting & Conformance (DMARC) - an email authentication policy and reporting protocol composed of 3 checks: that a message has a valid DKIM signature, that a message was sent by an authorized source via SPF, and that the domain used in the From: field aligns with either the domain in the DKIM signature or the domain in the SPF record

Standards

  • All email messages sent with a sending address using the miamioh.edu domain must be signed with a valid DKIM signature. DKIM keys must be 1024 or 2048 bits in length
  • All email messages sent with a sending address using the miamioh.edu domain must be sent from an authorized source defined via SPF
  • All email messages using the miamioh.edu domain as the sending address must be verified for DMARC compliance before delivery. Messages that do not pass DMARC compliance must at a minimum be quarantined to recipients' spam or junk folder if not rejected entirely
  • All email messages delivered to miamioh.edu addresses must be scanned and filtered for malware, phishing, and spam
  • All email messages delivered to miamioh.edu addresses must be scanned and filtered for executable and malicious attachments
  • Messages sent by 3rd parties from miamioh.edu addresses must not use an individual's email address as the sending address, but rather use an address dedicated to the purpose of mailing from that 3rd party service
  • Listserv or group messaging administrators must implement mechanisms to handle bounced messages, unsubscribe requests, and the removal of non-deliverable addresses

 

Recommendations to avoid messages being identified as spam

  • Don't use false or misleading header information
  • Don't use deceptive subject lines
  • If a message is an advertisement, identify it as such
  • Avoid content and formatting that appears to be spam

Appendix

Related policies and standards:

Standard Administration

Next Review Date

  • 12/15/2024

 

Responsible Officer

  • Vice President for Information Technology & Chief Information Officer

 

Contact

  • Assistant VP for IT Services Security, Compliance, and Risk Management

 

Approval(s) and Date(s)

  • Initial Approval: 20 December 2023