Email Security Practices

OIT continues to enhance email security protocols because of the rise in cyberattacks against members of our university community. Phishing and malware through email are some of the most common information security threats. It's important that we all do our part in protecting our personal information and the university's data by staying vigilant against cyberattacks and aware of how to stay secure online. 

Detecting both fraudulent email senders and phishing scams are becoming increasingly difficult. To help keep our data and systems safe, the actions noted below are in place. 

External Email Sender Warning Banner

Email messages from senders outside the university will contain a warning banner. The new warning banner doesn't mean that a message is spam or a phishing attempt. It is there to serve as a reminder to be cautious opening attachments or following links from external contacts. The banner to help recognize messages from outside senders looks like this:

new external warning banner

Emails from other CU campuses and the system office, our healthcare affiliates, and other approved university-supported platforms, will not include the banner. Departments, schools and colleges who use a third-party email service to send messages and internal newsletters may be tagged with the external banner because the message originates from outside the university. Tools that are used by the university such as Microsoft, Canvas, and other supported applications also will include the banner because the messages generated by our partner vendors originate from outside of the university.

Remember to:

  • Always be careful when opening emails and check links before you click on them!
  • Verify where a link goes before you click on it
    • Hover over the link with your cursor to see the destination website. If it doesn’t go to the right place or looks slightly off, don’t click.
  • Trust your instincts and watch for the external email banner warning that alerts you to messages that originate from outside the university.
  • Keep in mind that you should never provide your username and / or passwords to anyone.
  • More information about phishing, recent cyberattacks and scams is available on the OIT Phishing webpage.

Developing a Sender Policy Framework (SPF)

Phase two of the email security project will begin on Friday, June 1, 2022, with the implementation of a sender policy framework (SPF) to limit and define the external domains and services allowed to send email from university addresses. In support of the university’s email policy to limit the number of external bulk email senders, it is necessary to implement an additional security measure alongside the external email banner warning noted above. 

Changes to plan for in advance

  • Departments and schools that use non-university approved third-party email services or applications to send or receive messages (for example, email messaging, newsletters, and surveys) will no longer be able to be send from, or receive email to, an @cuanschutz.edu or @ucdenver.edu email address.
  • Third-party bulk email messages may continue to be sent to distribution lists; however, a non-university “from” email address identifying the external sender domain must be used to ensure messages are delivered correctly.
  • Bulk email messages sent from an unapproved university email address will automatically move to university recipients’ junk or spam folders.
  • External sender emails will be tagged with the email warning banner to remind people to be cautious when opening email. It might be helpful to include a note to audience recipients explaining that the newsletter or message they are receiving is from your school or department and the content is generated internally.

Recommendations and Resources

University preferred electronic platforms including the CU eComm Salesforce, Marketing Cloud, and Cvent programs, Salesforce CRM, and Slate are included on the allowed list for email sends and the SPF record has been added as an authorized sender IP address. These security protocol changes do not affect approved university applications.

  • Visit the CU eComm program webpage for more information about the university’s preferred and fully supported electronic email tools for marketing communications at the university.
  • Using the CU eComm system also helps ensure the university is compliant with the CAN-SPAM Act. Read more about the federal law that provides relief from unwanted email messages and how it applies to communication with CU constituents.
  • Additionally, please visit the OIT Forms and Surveys webpage for university approved and supported survey tools such as Qualtrics, Formstack, and Microsoft Forms.