1. What is Email Authentication?
Email authentication is a set of technologies that verify whether an email message is actually from the sender it claims to be from. It helps protect USC organization from email-based threats like phishing, spoofing, and impersonation.
The three primary email authentication methods are:
SPF (Sender Policy Framework) – Verifies that the sender’s IP is authorized to send on behalf of the domain.
DKIM (DomainKeys Identified Mail) – Uses cryptographic signatures to ensure the message hasn’t been altered.
DMARC (Domain-based Message Authentication, Reporting & Conformance) – Builds on SPF and DKIM to provide instructions on how to handle unauthenticated emails and sends reports back to domain owners.
2. What is DMARC?
DMARC is a policy framework that tells email receivers what to do when an email fails SPF or DKIM checks. It also provides visibility into who is sending email on your behalf.
DMARC tells mail servers what to do when email authentication protocols such as DKIM or SPF fail, whether that is marking the failing emails as “spam,” delivering the emails anyway, or dropping the emails altogether.
3. Why is DMARC Important for USC?
Email authentication and DMARC are critical mechanisms to prevent email spoofing. Cybercriminals spoof the “From” address of an email to make it appear as though it is coming from a trusted source – like usc.edu or one of its subdomains.
Example: Imagine a cybercriminal sends a phishing email that looks like it’s from a USC domain. This could trick a user into providing sensitive information or a payment to a malicious source if they think that USC is the requester.
Protects Brand Reputation: Prevents attackers from impersonating your domain in phishing attacks.
Reduces Risk: Helps block malicious emails before they reach employees, customers, or partners.
Improves Deliverability: Authenticated emails are more likely to reach inboxes, not spam folders.
Provides Visibility: DMARC reports show who is sending email on your behalf—legitimately or not.
4. What Happens Without DMARC?
Without DMARC, anyone can spoof your domain and send fraudulent emails that appear to come from your organization. This can lead to:
- Data breaches
- Financial fraud
- Loss of customer trust
- Regulatory non-compliance
7. How Does DMARC Align with Compliance and Risk Management?
DMARC supports compliance with data protection regulations (like GDPR, HIPAA, etc.) by reducing the risk of data loss through phishing. It also demonstrates proactive risk management to stakeholders and auditors.
What happens if DMARC and email authentication protocols are not followed?
Failure to adhere to these requirements will result in email delivery issues to these services after May 21st.
What does this change mean for users and Departments, Schools, and Units?
If third-party senders are not included in our SPF/DKIM/DMARC records, the following emails will get quarantined after May 21st:
- Inbound – any email system or 3rd party service such as Salesforce, Mailchimp, Zendesk, etc. sending internally on behalf of usc.edu
When emails are quarantined, end users will not receive the email from that sender.
What do I need to do?
To avoid disruptions, ensure third-party email users follow the steps in the Email Authentication – Instruction Guide and work with our team to ensure senders are compliant.
Missed the Deadline?
If a legitimate email from a third-party sender is quarantined, the relationship owner should contact Security Engineering (seceng@usc.edu) or call the 24×7 CSC hotline at 213-740-5555 to request email removal from quarantine. Our team will un-quarantine the emails and place a temporary exclusion for 15 days. The relationship owner should then ensure vendor compliance by following the instruction guide above.