UNC’s Top-Level domains and subdomains (unc.edu, *.unc.edu such as med.unc.edu) are vital to email functioning as UNC’s sender reputation applies to them. This reputation makes our email more (or less!) likely to be delivered. Each domain indicates where an email message is coming from. UNC uses separate subdomains to track and manage reputation so that different activities won't affect one another. You can read more about this here at “Protecting UNC's Email Reputation”.
Subdomains
- A department can use its existing subdomain for email pending review of the current setup.[SK1] [HR2] [HR3] If a department does not have a subdomain or it is determined upon review that the subdomains setup cannot be used, please proceed to the next bullets.
- UNC Top Level Subdomains will need to be reviewed and will provide you with the requirements for requesting a subdomain.
- After reviewing the UNC Top Level Subdomains, the department manager will need to register a new subdomain at Domain Requests.
Requirements for Subdomains using any type of email
- To manage the email for a subdomain, the DNS must be managed and set up in the UNC DNS servers. UNC domains may not be hosted externally.
- SPF – Each subdomain will be configured with a strict SPF policy.
- DKIM – Any department using a Third-Party email vendor must provide the DKIM keys. They must be created and validated.
- DMARC – records will be set up and set to a policy of Reject.
Requirements for sending email from Third-party platform
- Use an existing or new shared mailbox.
- Use an alias with the subdomain DNS suffix. For example, if you are sending from a mailbox named “test” and your subdomain is example.unc.edu, add an alias of test@example.unc.edu onto the shared mailbox and the email being sent from the third-party platform must use test@example.unc.edu as the source address. This will ensure that SPF, DKIM and DMARC authenticate.
- Do not send mail from a mailbox that does not exist. No more spoofing!
SPF Requirements for subdomain
- Each subdomain in which UNC hosts will have the following IP addresses and SPF record domain name in them. “v=spf1 ip4:152.2.79.86 ip4:152.2.79.87 ip4:152.2.79.94 include:spf.protection.outlook.com -all”
- Each Subdomain will be configured with a strict policy (Hard Fail). This will have a quantifier of – and then followed by a mechanism of all. Will look like this -all
- Some third-party senders will need to add an include statement into the SPF record. It is the department’s responsibility to provide this information from the vendor. An Include Statement will look like this “include:thirdpartydomain.net”
- SPF records have limits.
- 255 Char Limit
- 10 DNS lookup limit. This goes to the include statements. Be aware that some include statements have DNS lookups nested and will count towards the total.
DKIM Requirements for subdomain
- Each subdomain UNC hosts in the o365 tenant will have two o365 DKIM keys created and enabled for that subdomain. This is for o365 only.
- Each subdomain can have numerous DKIM keys.
- Any Third-Party email provider must provide DKIM keys. We have a variety of options: a single TXT record; two CNAME records; or it may include a separate auth record to go with them. Example, iContact uses 2 CNAME records for DKIM keys and a TXT record to validate the subdomain.
- DKIM keys must be validated. Most vendors need to validate the DKIM keys before sending mail. Departments will be responsible for working with their vendor to ensure these are validated once all DNS records have been created.
DMARC Requirements for subdomain
- DMARC policies will be set up and set to reject for each subdomain.
- Each subdomain will have this set for their record. "v=DMARC1; p=reject; rua=mailto:DmarcAggregate@office.unc.edu; ruf=mailto:DmarcForensic@office.unc.edu; fo=1;"