Email Security Standards and Approved Sending Services

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

DMARC helps protect the Cal State LA domain from phishing and spoofing by verifying that email messages are authorized to send on behalf of the University.

DMARC works with SPF and DKIM to help determine whether a message should be delivered, quarantined, or rejected.

SPF (Sender Policy Framework) identifies which mail servers are authorized to send email on behalf of a domain.

DKIM (DomainKeys Identified Mail) adds a digital signature to email messages to help verify message authenticity.

DMARC uses SPF and DKIM results to determine how unauthenticated messages should be handled.

The following services are currently approved for institutional email delivery and communication on behalf of Cal State LA.

ITS reserves the right to review, restrict, or remove services that do not comply with university security requirements.

Recommended approved services include:

• Acquia Cloud
• Amazon SES
• Blackbaud Luminate
• Cisco Cloud Email Security
• CollegeNET
• Constant Contact
• Crescendo
• DigitalOcean
• EAB Navigate
• Elastic Email
• Element451
• ExLibris
• JotForm
• MailChimp
• Mailgun by Sinch
• Marketo
• Microsoft Office 365
• Questionmark OnDemand
• RNL
• SendGrid
• SumTotal
• Terra Dotta Software

Additional services may be approved following ITS review.

Departments should contact ITS before implementing new email delivery platforms or external communication services that send email on behalf of Cal State LA.

Requests for review should include:

• Vendor name
• Business purpose
• Sending domain information
• SPF and DKIM capabilities
• Estimated sending volume
• Technical contact information

ITS may require SPF and DKIM configuration before approval is granted.

Approved email delivery systems should support the following security and authentication standards:

• SPF support
• DKIM support
• DMARC alignment
• TLS encryption
• Secure authentication
• Bounce management
• Abuse reporting

ITS may require additional security controls depending on the nature of the service and the volume of email being sent.

Users should avoid clicking links or opening attachments in suspicious messages.

Suspicious email messages should be reported to the ITS Help Desk. Users should verify unexpected requests through another communication method when appropriate.

Website: ITS Help Desk
Email: [email protected]

Email from unapproved systems may be quarantined, marked as spam, fail delivery, or be rejected by recipient systems.

ITS may require additional review, SPF configuration, DKIM configuration, or other security controls before a service can be approved for institutional use.

These standards may affect campus departments, third party email vendors, marketing and communication platforms, application administrators, faculty and staff sending bulk email, and external systems sending email using calstatela.edu domains.

Any system sending email on behalf of Cal State LA may require review and approval by ITS.

Departments should contact ITS before implementing new external email delivery services or communication platforms.

Requests should include:

• Vendor name
• Business purpose
• Sending domain information
• SPF and DKIM capabilities
• Estimated sending volume
• Technical contact information

Departments may submit a service request through the ITS Help Desk or submit a ticket directly through the ITS service portal. Including complete vendor and technical details will help expedite the review process.

Website: ITS Help Desk
Email: [email protected]

DMARC policy enforcement levels may vary depending on domain usage, email sending requirements, and security considerations.

Policies may include:

• none
• quarantine
• reject

ITS centrally manages DMARC policy configuration to help protect the University from phishing, spoofing, and unauthorized email activity.

Email messages may be rejected, quarantined, or marked as spam if they fail SPF, DKIM, or DMARC validation checks.

This may occur when:

• An email service is not approved
• SPF or DKIM is not configured correctly
• The sending service is not authorized to send on behalf of the domain
• Security or reputation issues are detected

Departments using third party email services should work with ITS to ensure proper configuration and compliance with University email security standards.

Yes. Third party email vendors sending email on behalf of Cal State LA should support modern email authentication standards, including SPF and DKIM.

ITS may require vendors to meet DMARC alignment and other security requirements before approval is granted.

Failure to properly configure email authentication may result in delivery issues, rejected messages, or messages being marked as spam.

Information Security and Compliance, in coordination with ITS Messaging Services and other campus technology teams, manages email authentication and security standards for the University.

ITS is responsible for reviewing email security requirements, managing DMARC policies, reviewing approved sending services, and helping protect University email systems from phishing, spoofing, and fraudulent email activity.