Department of Computer Science employs DMARC
Starting beginning of June 2013, the Department of Computer Science has started to enforce an email policy called DMARC (Domain-based Message Authentication, Reporting and Conformance) in its email system.
DMARC is a technical specification created to help reduce the potential for email-based abuse (such as spam, email spoofing and phishing emails) by solving some long-standing operational, deployment, and reporting issues related to email authentication protocols. The use of DMARC means that senders will experience increased consistency in the authentication results (pass, fail) for their messages.
The main goal for us to use this policy is to keep our department's reputation good as an email sender. At the same time, we can get reports of any unauthorized use of our domain name cs.helsinki.fi. In practice, this means that mail claiming to originate from cs.helsinki.fi can only be sent from our own mail system. Allowed exceptions are mail forwarding (mail originating from us can still be forwarded by an external mail forwarder) and properly configured mailing lists (that do no subject line or message body tampering).
Email users here at the Department of Computer Science do not need to do any special actions. Users may observe that outgoing emails now contain a new header called DKIM-Signature. However, if our domain name is misused the recipient of a fraudulent email will either end in the spam folder and a warning like this might be attached
"Be careful with this message. Our systems couldn't verify that this message was really sent by cs.helsinki.fi. You might want to avoid clicking links or replying with personal information." -Gmail
or the email might just be totally rejected.
The DMARC system is based on two older techniques, SPF and DKIM. DMARC standardizes how email receivers perform email authentication using SPF and DKIM mechanisms, allows a sending organization to indicate that its emails are protected, and tells a receiver what to do if neither of the authentication methods passes.
SPF (Sender Policy Framework) SPF is an email validation system designed to prevent email spam by detecting email spoofing by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific record in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
DKIM (DomainKeys Identified Mail) provides a method for validating a domain name identity that is associated with an email message content through cryptographic authentication. The association is set up by means of a digital signature, which can be validated by recipients. The recipient loads the domain name owner's public key using DNS, and then verifies that the signature matches the actual message's content.
SPF is defined in RFC 4408. DKIM is defined in RFCs 5585, 5617, 5863, and 6376. DMARC is defined by IETF Internet Draft draft-kucherawy-dmarc-base-00 (2013-03-31). DMARC is a result of an informal consortium including AOL, Facebook, Google, LinkedIn, Microsoft, Paypal, and Yahoo! among others.
Some key points about DMARC can be found for example from this TechRepublic blog entry.
Instructions for local users
Because of this new policy, all mail that has the domain name cs.helsinki.fi in sender's address must either (1) arrive to the receiver from the IP address of our mail system, or (2) contain an automatically generated digital signature, which proves that the message originates from our mail system. Usually both conditions are satisfied but mailing lists, mail forwading, and mail forwading services (like iki.fi) continue to function even if only one of the conditions is true.
If you want to send mail from elsewhere using your cs.helsinki.fi address you are REQUIRED either to use our webmail service (rc.cs.helsinki.fi) or configure your mail program to send mail through the TLS secured mail submission port 587 at mail.cs.hesinki.fi, which requires authorization with username and password. You MUST NOT just write the address in the From field.
Tulostettava sivu