This page describes what domain-based message authentication is and how it is set up for RWTH email communication.

Due to the current ongoing threat of phishing emails reaching RWTH Aachen University, it has been decided to configure the DMARC policy from p=none to p=reject.

• Definition
• Effects

Definition

Domain-based Message Authentication refers to a method of authenticating emails based on the sender domain. The aim is to prevent emails with fake sender addresses (e.g., in phishing or spoofing) from being sent on behalf of a domain.
In the best case scenario, this increases the security of email traffic, prevents domain abuse, and simplifies the deliverability of legitimate emails.
In practice, domain-based message authentication is implemented using the DMARC (Domain-based Message Authentication, Reporting and Conformance) protocol.

DMARC is based on two established email authentication methods:

• SPF (Sender Policy Framework): Checks whether the sending mail server is authorized for the sender domain.
• DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to ensure that the email is unchanged and belongs to the sender's domain.

DMARC links these checks to a domain policy that is published in the domain's DNS. Receiving mail servers use this policy to decide how to handle emails that fail the checks.
Depending on the configuration, it can be specified that incorrectly authenticated emails:

• are delivered normally (none),
• are treated as spam (quarantine),
• or are rejected completely (reject).

The DMARC policy of RWTH has now been changed to reject.

Effects

The change means that emails sent by external parties that imitate the RWTH mail domain (e.g., @rwth-aachen.de) will be rejected by the RWTH mail servers.
Exceptions to this are mail domains for which corresponding processes have been agreed with the IT Center in the past.
If such processes are active in your institution, please contact the IT ServiceDesk.

Please ensure that emails preferably use authenticated SMTP via mail.rwth-aachen.de.
If this is not possible for technical reasons, please use smarthost-tls.rwth-aachen.de or smarthost.rwth-aachen.de to send emails.
You can find a quick guide to this in our RWTH-E-Mail FAQ.

In addition, configured redirects to external RWTH email addresses may no longer work. If emails are redirected to external RWTH email addresses and then sent back to the RWTH email address, these emails will be rejected because the DMARC check cannot be performed successfully. We kindly ask you to remove redirects and configure forwarding rules instead.