Domain Message Authentication, Reporting and Conformance (DMARC) at UQ

DMARC protects against efforts from scammers to impersonate UQ, using the ‘@uq.edu.au’ email domain. This is called ‘spoofing’. 

It is vital to take preventative action against ‘spoofing’, as it is a common tactic used by scammers, taking advantage of the familiarity and reputation of the UQ brand to increase the recipient’s chances of actioning their fraudulent requests (e.g., clicking on a link, downloading an attachment, or transferring funds). 'Spoofing’ poses significant potential impacts to intellectual property, personal and institutional reputation, and personal and organisational finances.

DMARC protects against ‘spoofing’ attempts by formalising the source addresses of UQ emails.

DMARC authenticates emails using trusted source addresses to perform a series of checks and balances, which can verify that the email is legitimate when it's sent from a specific domain (e.g., UQ’s email service).

DMARC will not impact the email accounts of staff or any shared mailbox that is used for UQ internal communication exclusively.  

DMARC will affect emails sending from third-party services on behalf of UQ, using the '@uq.edu.au' suffixed email addresses and subdomains (e.g. @example.uq.edu.au). 

If you are unsure if your service meets these requirements, please reach out to ensure the appropriate action is taken. 

If you are an owner of a system that sends email from an ‘@uq.edu.au’ suffixed address or a current subdomain '@example.uq.edu.au', you will need to apply to register your email system.

If currently sending from the '@uq.edu.au' domain, registering your email system will move the source of your email communications from the ‘@uq.edu.au’ email suffix to a relevant subdomain that clearly identifies your organisational unit (e.g., studentassist-example@uq.edu.au would become studentassist@example.uq.edu.au). This process will be assisted by the UQ Cyber Security Operations Centre (CSOC). 

Registration allows the CSOC to enforce anti-spoofing protocols on your new sub-domain, to increase the security and deliverability of your email communications.

If currently sending email from an existing subdomain '@example.uq.edu.au', the CSOC will assist in establishing DMARC compliance. 

From late 2024, email services that are not registered will be quarantined and emails sent will be undeliverable.

To register, you will need to submit a request to the CSOC, providing two kinds of records – SPF and DKIM. You can find DKIM and SPF records in your email platform's admin panel. If you require assistance, please contact your email platform's technical support in the first instance.  

Definitions regarding SPF and DKIM records are as follows:

• SPF (Sender Policy Framework) is a record that lists all services authorised to send emails from a particular domain (e.g., 'uq.edu.au'). If emails are sent, and its origin domain is not in the receivers’ record for allowed senders, they will be rejected or marked as spam. Providing your system’s SPF records reduces phishing attacks, spam emails, and increases the deliverability of your emails, and is necessary for DMARC compliance.  

• DKIM (DomainKeys Identified Mail) allows senders to ‘sign’ emails from their domain, confirming their legitimacy. This signature requires public and private keys. DKIM records store public keys, which receiving services can use to verify their legitimacy, and private keys are used to keep messages sent private and should be protected.  

Should your SPF and DKIM records not be readily available on the third-party platform, please use the below script as a guide for requesting them: 

Hello (name), 

My organisation is undertaking a project to secure its domain. To complete this and the necessary actions for the service I use, I need to provide them with the associated SPF and DKIM records. Please send them to contact@dmarc.csoc.uq.edu.au and CC me in these communications.  

Thank you