External Sender Rule

Purpose

This document establishes rules when using an email service provider that is not managed by the Office of Information Technology.

Scope

This rule applies to any WMU entity that uses an external sender to send messages on behalf of the university and sends the messages "From:" a "@wmich.edu" address.

Rule statements

• Email is authored from a WMU entity (department/program/service/etc.).
• Email’s "From:" uses an "@wmich.edu" domain address.
• External sender must be able to provide a DKIM signed key for "@wmich.edu" domain sent emails.

Definitions

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. 

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, policy, and reporting protocol that operates alongside Sender Policy Framework (SPF) and DomainKeys identified mail (DKIM) to determine the authenticity of an email message. 

Domain (or "domain name") - In this context, it is the name of the part of the email address that’s to the right of the "@" sign as seen in email client's From: field.  For example, "wmich.edu" is WMU's domain name. 

External Sender, a.k.a. "external sending service" or "3rd party sender", is a service provider of email sending services that aren't managed by the Office of Information Technology.

External Sender Notification is WMU's process of adding a notification into emails to notify recipients that the email is not authored by a WMU entity and to consider the validity of the message, links, and attachments they contain. 

"From:" is an email header field that specifies the author(s) of the message, that is, the mailbox(es) of the entity responsible for the writing of the message.  Commonly known as "body from address". 

WMU email address is the official email address assigned at the time one's Bronco NetID is created. 

Justification

Security and message deliverability reliability are critical functions for the university.  This rule helps provide improved security and email message deliverability through compliance with industry-standard email messaging technologies of DKIM and DMARC.

Results of Non-Compliance

Emails received to wmich.edu accounts from external senders not sent as a wmich.edu account will have WMU’s External Sender Notification included in the email message.

Enforcement

Individuals who conduct official business for Western Michigan University shall abide by the rules of this policy. Any person found to be in violation of this rule will be subject to appropriate disciplinary action as defined by current University policy.

Exceptions

Exceptions to this rule may be expressly granted by the WMU Legal Counsel, in consultation with OIT, through approved service requests and implementation processes.

Reference

• Email rules
• Email Address Use and Rules
• Mass email policy
• Computing resources acceptable use policy
• External Sender Notification (from goWMU)

Document action 

Initial creation: April 18, 2022