Implementing good practice email security in response to Google‘s and Yahoo’s new rules relating to bulk email sending

What have we done?

For outgoing email using the centrally provided mail services (Nexus365, Oxmail,,, DKIM and DMARC are now in place for the domain. This is Google’s and Yahoo’s bare minimum requirement to ensure ongoing delivery to those domains.  

Other parts of the University which send email independently of the above central services, and/or which don’t use the central University DNS service will still need to make those changes themselves. Failure to do so can impact delivery for ALL University users.


What needs to be done?

Action is required wherever a third-party service is used to send emails from your email domain. Common uses include newsletters, events management, and alumni relations. For such services, you will need to do the following: 

  • Check whether a DMARC entry exists for that domain. If you have access to test outbound messages, verify if DMARC checks on it were passed. If DMARC checks pass, then both SPF and DKIM are correctly configured. If not: Check whether a DKIM entry already exists for the domain(s).
  • A DKIM entry in DNS takes the form of a TXT record which contains a digital key. This allows a recipient ‘s email system to check the email was not altered in transit.
  • Where no DKIM record currently exists, create one as according to the guidance published by your third-party bulk-mailing service.
  • Confirm that the service is using the domain key in question to sign outgoing messages. 
  • Confirm that an SPF record exists to authenticate the outbound service as a valid sender of University email.


The Adestra ( platform is widely used across the University.  If your unit uses Adestra, you will need to ensure that Adestra are adding DKIM signatures to outgoing messages, and that appropriate SPF and DKIM records are in place for your domain.  For further information please contact your Adestra support contact.


Colleges and private halls that do not use DARS, but which independently use services from Blackbaud (e.g. Raiser’s Edge), will need to take action as per:


Since the consequences of non-compliance have the potential to impact the entire collegiate University it is imperative that any part of the University which sends email in bulk has fully considered this guidance.

For more information about the project, look at our project webpage.


Contact the project team.