Email Security and Simplification Project
Improving the security of University emails, reducing the risk of security breaches and protecting personal data for which the University is legally responsible
Project overview
The Email Security & Simplification Project is delivering four key pieces of work:
- Removal of custom automatic email forwarding - COMPLETE AS OF AUGUST 2023 - see below for further information
- Define the risk and cost associated with local email services and agree support for departments migrating from local email services to Nexus
- Implement Validation Protocol (DKIM/DMARC/ARC) to improve the authentication of our outgoing emails and reduce the number of our emails that go to people's junk folders - IN IMPLEMENTATION STAGE
- Intelligent Email - evaluate, procure and implement additional security tools within Nexus365 to support the prevention of data breaches arising from mis-use of 'cc' or mis-sending of confidential data
1. Automatic email forwarding will no longer be allowed
A change to IT Regulations (as shown on the Compliance website) has been approved by University Council. From 1 August 2023, the blanket forwarding or routing of email from a University email address to an external, non-University of Oxford, account is no longer allowed, except in exceptional circumstances.
You are still permitted to forward individual emails to external email accounts, but we ask you to consider carefully the implications of doing so.
Why is automatic email forwarding a problem?
- It’s a significant security risk: when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent our accounts being compromised, such as strong password rules and MFA (multi-factor authentication). This potentially enables unauthorised access to confidential University data because it could be much easier for hackers to break into your private email account than your Oxford University account.
- It’s a significant data handling risk: if emails are indiscriminately forwarded outside the University internal or confidential data may be unintentionally forwarded – for example, a commercial contract or sensitive personal data from a student or colleague. There is a range of responsibilities on the University and individuals regarding how we manage, share and secure personal data and we cannot achieve this if there is indiscriminate forwarding to external email providers.
- There’s a reputational risk that all our email will be marked as spam: when you forward all your email to an external email provider, junk mail and spam may also be forwarded. This can result in external email providers’ spam filters thinking that legitimate email from Oxford University is also spam. This could be cause problems when, for example, you are communicating with applicants or external participants in research projects.
- It can result in an accidental breach of contract: there are recent examples of research sponsors and collaborators taking a dim view of receiving a response from a non University of Oxford email account. All institutions are improving their security and have expectations that we will do the same. Data sharing agreements may include expectations around the handling of data. A reply from a non-University account could amount to a breach of contract.
What has changed?
IT Services has made changes to the automatic email forwarding function in line with the change to IT regulations:
- The email forwarding self-service function is no longer available. You are still able to manually forward individual emails, in compliance with IT regulations
- Support documentation is available on the IT Help website to help you manage your email, in compliance with IT regulations
- A process to request an exception to the regulation has been implemented - this will be in exceptional circumstances only and will require the approval of the Chief Information Officer
What do I need to do?
If you did not have automatic forwarding set up from your email, nothing will have changed for you.
If you were automatically forwarding your University emails to an external account, this has now been switched off and your emails have not been forwarded since 1 August. Please check your University email account.
- Here are instructions for setting up your email client to read your Oxford University email
- See guidance for logging into your Oxford University email on the web
- You can set up a consolidated view of multiple email accounts in the same client. This allows you to manage both your University email account and your external and/or personal email account in a single place, easily navigating between multiple accounts. See the IT Help website for more information. General guidance on how to add an email account to Outlook is available from Microsoft Support
Frequently Asked Questions
FAQs about the change in IT regulation prohibiting blanket email forwarding
3. Implementation of Validation Protocol
To improve the authentication of our outgoing email, the project is beginning to implement the changes across the university. The objective is to ensure that more of our sent email arrives in recipients’ inbox folders, being seen as legitimate and genuine, rather than, in some cases, being treated as directly equivalent to spoofed email from malicious senders.
What is happening?
Imminent changes from Google may cause bulk communications to Gmail addresses to be rejected.
Due to a change made by Google, on the 1 February 2024, organisations that send more than 5,000 messages per day to email domains hosted or managed by Google must meet new requirements. This has expedited our plans for the project, hence this high priority communication.
The key one being: Setting up SPF, DKIM, and DMARC email authentication for your domain.
This change has been fully tested, both in the Nexus lab, and in production (since November 2023) for the it.ox.ac.uk domain. The validation protocols are well-proven and are already in use by the majority of Russell Group universities.
Right now, Google sees ox.ac.uk as a single domain. This means that a single college, department, or unit which does not implement all of SPF, DKIM, and DMARC could potentially impact delivery of the entire collegiate University’s email to Google domains.
What are we doing to implement the change?
We are adding a few lines into DNS. We already have DKIM established on it.ox.ac.uk in monitoring mode and results have exceeded expectations.
DKIM is a digital signature that a recipient's email server can use to verify that an email wasn't modified in transit. Since we have no DKIM records right now, adding this can only enhance delivery outcomes, and is therefore a very low-risk activity.
DMARC is a single line in DNS which receiving email servers can look up - it is a request from us for the receiving system to take an action of our choice on messages which fail all of the authentication checks which would be used to prove it came from Oxford.
SPF is another DNS entry for each domain through which receiving email servers can confirm whether an email is being sent from a legitimate server for that domain. SPF records should already be in place for most University email domains.
What do you need to do?
We, the project team, can fully manage this entire process for you on your behalf but only if:
• Your entire unit uses Nexus365 for email
• If this is the case, we only ask you not to change/remove those DNS records.
ITSS for units which do NOT use Nexus365 will have to undertake their own checks to ensure SPF, DKIM, and DMARC are correctly configured and enabled.
The timeframe for this change is dependent on units contacting us who do NOT use Nexus365, but the change must be completed by 1 February 2024 to avoid any disruption to our emails reaching their destinations.
Please consult with the project team if you need assistance.
We are looking at solutions to address anything sent via Oxmail, smtp.ox.ac.uk, maillist.ox.ac.uk or DARS (Blackbaud). Other third-party services which send mail from your subdomain may also be affected, but if you have queries regarding this, please contact the project team.
What if I do nothing?
The risk of doing nothing is HIGH: Google may start rejecting email from all ox.ac.uk email subdomains from the 1 February 2024 if these DNS records are not in place.
Right now, Google sees ox.ac.uk as a single domain. This means that a single college, department, or unit which does not implement SPF, DKIM, and DMARC could potentially impact delivery of the entire collegiate University’s email to Google domains.
Across the whole of the collegiate University the sending of more than 5,000 emails per day to Google addresses is easily reached. Furthermore, these values are used to confirm email's authenticity to a recipient. Without these protocols in place, it's far more likely that our email will go into recipients' junk folder or be deleted entirely without even being delivered.
Frequently Asked Questions
Contact
If you have any questions, please contact the project team: emailsecurityproject@it.ox.ac.uk
