UQ is implementing a new email security protocol called DMARC (Domain Message Authentication, Reporting, and Conformance).

DMARC is designed to protect against imposter emails (also known as ‘spoofing’) and ensure your messages are delivered without interruptions.

DMARC enforcement for the uq.edu.au domain will come into effect on December 4, 2024.

If you are an email system owner, applications to have DMARC applied to your system are now open. From December 4, email services that do not use DMARC will be quarantined and emails sent will be undeliverable.

Register to have DMARC applied to your system.

DMARC will protect against persistent and escalating attempts to impersonate UQ, therefore protecting staff, students, and key external partners against scam attempts, and ensure that emails are compliant with major email service providers (e.g., Yahoo, Google).

What is DMARC?

DMARC protects against efforts from scammers to impersonate UQ, using the ‘@uq.edu.au’ email domain. This is called ‘spoofing’.

It is vital to take preventative action against ‘spoofing’, as it is a common tactic used by scammers, taking advantage of the familiarity and reputation of the UQ brand to increase the recipient’s chances of actioning their fraudulent requests (e.g., clicking on a link, downloading an attachment, or transferring funds). 'Spoofing’ poses significant potential impacts to intellectual property, personal and institutional reputation, and personal and organisational finances.

DMARC protects against ‘spoofing’ attempts by formalising the source addresses of UQ emails.

DMARC authenticates emails using trusted source addresses to perform a series of checks and balances, which can verify that the email is legitimate when it's sent from a specific domain (e.g., UQ’s email service).

Top of page

Where will DMARC be applied?

DMARC will not impact personal staff email addresses sending from the UQ-managed Outlook service. Additionally, services that use Oracle CRM and any shared mailbox that is used for UQ internal communication exclusively, will remain unaffected.

DMARC will impact emails sending from third-party services on behalf of UQ, using the '@uq.edu.au' suffixed email addresses and subdomains (e.g. @example.uq.edu.au).

If you are unsure if your service meets these requirements, please reach out to ensure the appropriate action is taken.

If you suspect that you are missing emails from your inbox, please log an IT request. 

Top of page

What do I need to do?

If you are an owner of a system that sends email from an ‘@uq.edu.au’ suffixed address or a current subdomain '@example.uq.edu.au', you will need to apply to register your email system.

If currently sending from the '@uq.edu.au' domain, registering your email system will move the source of your email communications from the ‘@uq.edu.au’ email suffix to a relevant subdomain that clearly identifies your organisational unit (e.g., studentassist-example@uq.edu.au would become studentassist@example.uq.edu.au). This process will be assisted by the UQ Cyber Security Operations Centre (CSOC).

Registration allows the CSOC to enforce anti-spoofing protocols on your new sub-domain, to increase the security and deliverability of your email communications.

If currently sending email from an existing subdomain '@example.uq.edu.au', the CSOC will assist in establishing DMARC compliance.

From December 4, 2024, email services that are not registered will be quarantined and emails sent will be undeliverable.

To register, you will need to submit a request to the CSOC, providing two kinds of records – SPF and DKIM. You can find DKIM and SPF records in your email platform's admin panel. If you require assistance, please contact your email platform's technical support in the first instance.

Definitions regarding SPF and DKIM records are as follows:

  • SPF (Sender Policy Framework) is a record that lists all services authorised to send emails from a particular domain (e.g., 'uq.edu.au'). If emails are sent, and its origin domain is not in the receivers’ record for allowed senders, they will be rejected or marked as spam. Providing your system’s SPF records reduces phishing attacks, spam emails, and increases the deliverability of your emails, and is necessary for DMARC compliance.

  • DKIM (DomainKeys Identified Mail) allows senders to ‘sign’ emails from their domain, confirming their legitimacy. This signature requires public and private keys. DKIM records store public keys, which receiving services can use to verify their legitimacy, and private keys are used to keep messages sent private and should be protected.

Top of page

How can I request my records if a third-party manages the email service?

Should your SPF and DKIM records not be readily available on the third-party platform, please use the below script as a guide for requesting them:

Hello (name),

My organisation is undertaking a project to secure its domain. To complete this and the necessary actions for the service I use, I need to provide them with the associated SPF and DKIM records. Please send them to contact@dmarc.csoc.uq.edu.au and CC me in these communications.

Thank you

Top of page