University of Wisconsin–Madison

Email Authenticity

Achieving Email Authenticity is part of an ongoing effort to protect users from phishing and improve the reputation of email sent from UW-Madison. 

How will we achieve email authenticity?

Campus email administrators are deploying DMARC (Domain-based Message Authentication, Reporting & Conformance) to provide campus units (email domain owners) stronger control on preventing illegitimate use of UW-Madison email addresses.

DMARC allows email providers to verify that email was sent from a valid UW-Madison address and not from phishers, spammers, or other unverified sources.

Learn more about DMARC

Learn why DMARC is important

DMARC Alignment

Messages are “DMARC aligned” if they pass SPF or DKIM checks, and the domain in the From header matches the results of SPF/DKIM.

See below, under “Test for DMARC effect on emails”, to see how your mass communication will be affected by DMARC.


Campus email administrators began monitoring spoofed emails in 2017, for the purpose of measuring the extent of phishing and accountability of the UW‑Madison brand.

After reviewing this data, along with world-wide trends from large email providers (such as Gmail) starting to require all email senders to adopt DMARC, campus email administrators determined the need to begin implementing DMARC for all UW‑Madison domains.

Emails that are not sent by an approved/verified email service will be affected by these changes. Please refer to Planning for Technical Staff.


The timeline below applies to the domain. Subdomains may have a different timeline depending on conversations campus email administrators will have with domain owners.

  • 2017-2018:
    • Customer engagement presentation to TAG and governance groups.
    • Mailing list providers (e.g. Google Groups and Mailman servers) changed to send DMARC compliant email for senders
    • Providing consultation on the use of sub-domains (e.g., 
    • Rolling out… Unapproved/unverified email inbound to UW-Madison Office 365 will have the From header rewritten and possibly annotated with a warning (based on risk) as a way to raise awareness about email that isn’t verified by DMARC, as well as a way to mitigate some inbound threats
  • January – March 2019
    • Finish backfilling DMARC records for sub-domains.  Sub-domains without a record will inherit an implicit DMARC policy in February.
    • Drop in sessions and continued consultation efforts
    • Continue to advocate the use of sub-domains and SMTP relay service
  • March – July 2019: Unapproved/unverified email may be treated as spam.
    • March: SPF policy published for (SPF record changed ~all)
    • April: 1% of unverified mail affected (DMARC record changed to pct=1)
    • May: 10% of unverified mail affected (DMARC record changed to pct=10)
    • June: 50% of unverified mail affected (DMARC record changed to pct=50)
    • July: 100% of unverified mail affected (DMARC record changed to pct=100)

Plan for sending email

Develop a plan for sending email

Contact the DoIT Help Desk. You will need to provide the following information:

  • Vendor/Service name
  • Email address you would like to send from
  • Recipient Types:
    • 100% UW-Madison users only
    • 100% non-UW-Madison users
    • or, both

Test for DMARC effect on emails

Do the following to test how DMARC affects your emails:

  1. Include the following email address in all of your email campaigns: 
  2. Contact the DoIT Help Desk and ask to verify messages are passing DMARC tests
    • Please include the Date/Time, Subject, and From address of the messages that you would like examined
  3. Campus email administrators will consult with you to determine if improvements are necessary

Best Practices

  • Use a vendor’s domain, if provided
    • If your vendor doesn’t have a domain, use a departmental or project specific domain (
    • If you don’t have a departmental domain or are unsure if you have one, please contact the DoIT Help Desk for help
    • Please note, the domain is only to be used by individuals sending from Office 365 and other systems that are able to authorize end-users’ use of their own email address within the system.
  • Use your email address in the Reply-to section if you want to receive replies
    • If you are not sure what email address to use, contact the DoIT Help Desk
  • To pass DMARC: Use SPF and/or DKIM, with results aligned with the domain in the From header


Examples of approved/verified email services

  • UW-Madison Office 365 via web browser, desktop app, and mobile app
    • End-users sending outbound email
    • Office 365 Add-ons for mail-merge functionality
  • Systems that are able to authorize end-users’ use of their own email address within the system
  • List servers that are configured to work with DMARC
    • UW-Madison email lists : Configure your WiscList with “Header Rewrites” setting “From:” with the following exact text:
      • “’%%author.nameemail%%’ via” <%%email.list%%>
    • Google Groups will use the domain in the From header when DMARC is in effect
    • Departmental and off-campus list servers need to be updated to support DMARC
  • Sending email using any other email service requires campus email administrator coordination to work with DMARC  – Recommend using a subdomain instead of
    (SPF and DKIM need to be configured based on the From address being used in mailings)

    • The campus SMTP Relay service supports SPF (DKIM support TBD)
    • Third party email service providers (e.g. Mailchimp, Qualtrics, etc) 

Examples of unapproved/unverified email services

  • Third-party email services that are not configured to work with the new DMARC controls
    (e.g., Constant Contact, Bronto, MailChimp, off-campus servers, etc.)
  • Non-UW-Madison email accounts that send as a address
    (e.g., a or address set to send as a address)
  • Third-party email scripts/servers that don’t send email using on-campus mail services (such as


View a collection of FAQs about different aspects of DMARC here:

Follow the Email Tech team for updates here:

Request a Consultation

Need help developing a plan for sending DMARC-protected email? Fill out the form below for a one-on-one consultation.

Email Authenticity Consultation Form

DMARC Drop-in Sessions

Attend a DMARC drop-in session to learn how you can take advantage of the DMARC standard to ensure your email campaigns don’t land in the spam/junk folder!

Session 1

January 12, 2018
2:00 pm – 4:00 pm
Computer Sciences building, room 3139 ABC

Session 2

January 15,2019
10:00 am – 12:00 pm
Computer Sciences building, room 3139 ABC

Session 3

January 16, 2019
10:00 am – 12:00 pm
HSLC, room 1220/1222

Session 4

January 22, 2019
1:00 pm – 3:00 pm
Pyle Center, room 226

Session 5

January 23, 2019
1:30 pm – 3:30 pm
Computer Sciences, room 3139 ABC

Contact Us

Share your feedback or questions with us!

Email Authenticity Feedback or Questions Form