Alert: The Plaza Building will remain closed through Jan. 20, 2025.

Learn More

Email Security Practices

Email and Scheduling Icon

Phishing and malware through email are some of the most common information security threats. It's important that we all do our part in protecting our personal information and the university's data by staying vigilant against cyberattacks and aware of how to stay secure online. Detecting both fraudulent email senders and phishing scams are becoming increasingly difficult. To help keep our data and systems safe, we have implemented the following email security protocols. 

External Email Sender Warning Banner

Email messages from senders outside the university will contain a warning banner. The new warning banner doesn't mean that a message is spam or a phishing attempt. It is there to serve as a reminder to be cautious opening attachments or following links from external contacts. The banner to help recognize messages from outside senders looks like this:

new external warning banner

Emails from other CU campuses and the system office, our healthcare affiliates, and other approved university-supported platforms, will not include the banner. Departments, schools and colleges who use a third-party email service to send messages and internal newsletters may be tagged with the external banner because the message originates from outside the university. Tools that are used by the university such as Microsoft, Canvas, and other supported applications also will include the banner because the messages generated by our partner vendors originate from outside of the university.

Remember to:

  • Always be careful when opening emails and check links before you click on them!
  • Verify where a link goes before you click on it
  • Hover over the link with your cursor to see the destination website. If it doesn’t go to the right place or looks slightly off, don’t click.
  • Trust your instincts and watch for the external email banner warning that alerts you to messages that originate from outside the university.
  • Keep in mind that you should never provide your username and / or passwords to anyone.
  • More information about phishing, recent cyberattacks and scams is available on the Phishing Webpage.

Developing a Sender Policy Framework (SPF)

Phase two of the email security project was implementation of a sender policy framework (SPF) to limit and define the external domains and services allowed to send email from university addresses. In support of the university’s email policy to limit the number of external bulk email senders, it is necessary to implement an additional security measure alongside the external email banner warning noted above. 

Changes to note:

  • Departments and schools that use non-university approved third-party email services or applications to send or receive messages (for example, email messaging, newsletters, and surveys) will no longer be able to be send from, or receive email to, an @cuanschutz.edu or @ucdenver.edu email address.
  • Third-party bulk email messages may continue to be sent to distribution lists; however, a non-university “from” email address identifying the external sender domain must be used to ensure messages are delivered correctly.
  • Bulk email messages sent from an unapproved university email address will automatically move to university recipients’ junk or spam folders.
  • External sender emails will be tagged with the email warning banner to remind people to be cautious when opening email. It might be helpful to include a note to audience recipients explaining that the newsletter or message they are receiving is from your school or department and the content is generated internally.

Recommendations and Resources

University preferred electronic platforms including the CU eComm Salesforce, Marketing Cloud, and Cvent programs, Salesforce CRM, and Slate are included on the allowed list for email sends and the SPF record has been added as an authorized sender IP address. These security protocol changes do not affect approved university applications.

  • Visit the CU eComm program webpage for more information about the university’s preferred and fully supported electronic email tools for marketing communications at the university.
  • Using the CU eComm system also helps ensure the university is compliant with the CAN-SPAM Act. Read more about the federal law that provides relief from unwanted email messages and how it applies to communication with CU constituents.
  • Additionally, please review university approved and supported survey tools such as Qualtrics, Formstack, and Microsoft Forms.

Information Security and IT Compliance

CU Anschutz

Education II North

13120 East 19th Avenue

5th Floor

Aurora, CO 80045


CMS Login