Email Impersonation Security provides a stronger layer of cybersecurity for messages and automated notifications sent to NYU Email. Any email that doesn’t meet NYU’s cybersecurity standards is flagged as a risk in the recipient’s NYU Email inbox so they know to be cautious about it or to just delete the message.
In support of this service, NYU community members are encouraged to register any applications, systems, or tools they use which send email messages and automated notifications to NYU Email addresses. This will ensure the messages meet NYU’s cybersecurity standards and aren’t flagged as a risk.
What happens if an email does not pass the security check?
If the email fails the security check, the email will be flagged with the text [Failed NYU Email Security Check] prepended to the subject line. Although there is no action required by those who receive these emails, the following form can be used to report flagged emails.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Valimail relies on DMARC compliance. DMARC works with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) (see below) to check if an email is coming from the actual sender or if it is pretending to come from the sender.
Once an email is sent from an @nyu.edu address it has to pass inspection from SPF and DKIM to determine if it is coming from a compliant sender prior to reaching an individual’s inbox. The purpose of this is to educate the recipient if an email is coming from a suspicious source that may result in spam, phishing, or spoofing (impersonation).
SPF (Sender Policy Framework)
Many times, emails are sent from an @nyu.edu address and may trick the recipient into believing that the sender is from the University. SPF uses a DNS (Domain Name System) entry to specify a list of servers that are allowed to send email for a specific domain and prevent a suspicious sender from sending an email on your behalf.
DKIM (DomainKeys Identified Mail)
DKIM validates that mail content has not changed since being sent by the server. It differs from SPF in that rather than simply validating that the sending server is authorized to send mail for the domain, DKIM uses a public/private key signing process using DKIM keys stored in DNS. This process validates both that the email content has not been modified, and also that the email was indeed sent by an approved server for the domain. Once DKIM is validated, it proceeds to DMARC compliance.
Additional Information
Email Impersonation Security (NYU IT website)
Email Impersonation Security: FAQ (NYU ServiceLink knowledge base)