OIT continues to enhance email security protocols because of the rise in cyberattacks against members of our university community. Phishing and malware through email are some of the most common information security threats. It's important that we all do our part in protecting our personal information and the university's data by staying vigilant against cyberattacks and aware of how to stay secure online.
Detecting both fraudulent email senders and phishing scams are becoming increasingly difficult. To help keep our data and systems safe, the actions noted below are in place.
Email messages from senders outside the university will contain a warning banner. The new warning banner doesn't mean that a message is spam or a phishing attempt. It is there to serve as a reminder to be cautious opening attachments or following links from external contacts. The banner to help recognize messages from outside senders looks like this:
Emails from other CU campuses and the system office, our healthcare affiliates, and other approved university-supported platforms, will not include the banner. Departments, schools and colleges who use a third-party email service to send messages and internal newsletters may be tagged with the external banner because the message originates from outside the university. Tools that are used by the university such as Microsoft, Canvas, and other supported applications also will include the banner because the messages generated by our partner vendors originate from outside of the university.
Phase two of the email security project will begin on Wednesday, June 1, 2022, with the implementation of a sender policy framework (SPF) to limit and define the external domains and services allowed to send email from university addresses. In support of the university’s email policy to limit the number of external bulk email senders, it is necessary to implement an additional security measure alongside the external email banner warning noted above.
Changes to plan for in advance
University preferred electronic platforms including the CU eComm Salesforce, Marketing Cloud, and Cvent programs, Salesforce CRM, and Slate are included on the allowed list for email sends and the SPF record has been added as an authorized sender IP address. These security protocol changes do not affect approved university applications.