Email Security Practices

---

External Email Sender Warning Banner

Email messages from senders outside the university will contain a warning banner. The new warning banner doesn't mean that a message is spam or a phishing attempt. It is there to serve as a reminder to be cautious opening attachments or following links from external contacts. The banner to help recognize messages from outside senders looks like this:

Emails from other CU campuses and the system office, our healthcare affiliates, and other approved university-supported platforms, will not include the banner. Departments, schools and colleges who use a third-party email service to send messages and internal newsletters may be tagged with the external banner because the message originates from outside the university. Tools that are used by the university such as Microsoft, Canvas, and other supported applications also will include the banner because the messages generated by our partner vendors originate from outside of the university.

Remember to:

• Always be careful when opening emails and check links before you click on them!
• Verify where a link goes before you click on it
• Hover over the link with your cursor to see the destination website. If it doesn’t go to the right place or looks slightly off, don’t click.
• Trust your instincts and watch for the external email banner warning that alerts you to messages that originate from outside the university.
• Keep in mind that you should never provide your username and / or passwords to anyone.
• More information about phishing, recent cyberattacks and scams is available on the Phishing Webpage.
  

Developing a Sender Policy Framework (SPF)

Phase two of the email security project was implementation of a sender policy framework (SPF) to limit and define the external domains and services allowed to send email from university addresses. In support of the university’s email policy to limit the number of external bulk email senders, it is necessary to implement an additional security measure alongside the external email banner warning noted above. 

Changes to note:

• Departments and schools that use non-university approved third-party email services or applications to send or receive messages (for example, email messaging, newsletters, and surveys) will no longer be able to be send from, or receive email to, an @cuanschutz.edu or @ucdenver.edu email address.
• Third-party bulk email messages may continue to be sent to distribution lists; however, a non-university “from” email address identifying the external sender domain must be used to ensure messages are delivered correctly.
• Bulk email messages sent from an unapproved university email address will automatically move to university recipients’ junk or spam folders.
• External sender emails will be tagged with the email warning banner to remind people to be cautious when opening email. It might be helpful to include a note to audience recipients explaining that the newsletter or message they are receiving is from your school or department and the content is generated internally.

Recommendations and Resources

University preferred electronic platforms including the CU eComm Salesforce, Marketing Cloud, and Cvent programs, Salesforce CRM, and Slate are included on the allowed list for email sends and the SPF record has been added as an authorized sender IP address. These security protocol changes do not affect approved university applications.

• Visit the CU eComm program webpage for more information about the university’s preferred and fully supported electronic email tools for marketing communications at the university.
• Using the CU eComm system also helps ensure the university is compliant with the CAN-SPAM Act. Read more about the federal law that provides relief from unwanted email messages and how it applies to communication with CU constituents.
• Additionally, please review university approved and supported survey tools such as Qualtrics, Formstack, and Microsoft Forms.