Email Security and Simplification Project
Improving the security of University emails, reducing the risk of security breaches and protecting personal data for which the University is legally responsible
The Email Security and Simplification Project is actively delivering two key workstreams:
1. Migration to Nexus365
This workstream addresses security risks and cost inefficiencies associated with local mail services. Migrating to Nexus365 offers additional benefits, including simplified email and support, enhanced collaboration tools, and improved calendar sharing.
2. Intelligent Email – Data Loss Prevention (DLP)
This component enhances Nexus365 by introducing tools designed to reduce the risk of data breaches. As more than 50% of data breaches involve email, it applies rules to outgoing messages to help prevent accidental data loss.
As part of this project, the following work has already been completed:
Automatic Email Forwarding (completed)
-
Significant security risk: automatically forwarding email to an external address bypasses security measures such as strong password policies and multi-factor authentication (MFA). This increases the likelihood of unauthorised access to confidential University data, as external accounts are typically less secure than University accounts.
-
Serious data handling concern: forwarding messages outside the University without filtering or review risks exposing internal or confidential information. This may include commercial contracts or sensitive personal data relating to students or colleagues. The University and its members have responsibilities under data protection legislation that cannot be met when messages are forwarded indiscriminately.
-
Reputational risk: external email providers may interpret forwarded spam or junk mail as originating from the University. This can lead to legitimate Oxford University messages being marked as spam, creating problems in communication with applicants, research participants or external partners.
-
Contractual risk: some research sponsors and collaborators object to receiving responses from non-University email accounts. Increasingly, institutions expect appropriate data security measures to be in place. Data sharing agreements often include conditions for handling information, and using a personal email address may be seen as a breach of those agreements.
In line with updated IT regulations, IT Services introduced the following changes:
- The self-service email forwarding function is no longer available. Manual forwarding of individual emails remains possible, as long as it complies with current IT regulations.
- Support documentation is available on the IT Help website to assist with compliant email management.
- A process exists to request an exception to the regulations. This applies only in exceptional circumstances and requires approval from the Chief Information Officer.
Implementation of Validation Protocol (completed)
From 1 February 2024, Google introduced new requirements for organisations that send more than 5,000 messages per day to domains it hosts or manages. In response, the University accelerated its email validation plans to meet these requirements.
The primary requirement was to implement SPF, DKIM, and DMARC email authentication protocols.
These changes were fully tested in the Nexus lab and in production for the it.ox.ac.uk domain from November 2023. The protocols are well established and already widely used across the sector, including by the majority of Russell Group universities.
Because Google treats ox.ac.uk as a single domain, any college, department or unit failing to implement SPF, DKIM and DMARC could have affected email delivery for the entire collegiate University.
IT Services implemented the necessary changes to DNS records to bring the University’s email systems in line with Google’s requirements.
-
SPF (Sender Policy Framework): Existing DNS entries were reviewed to ensure they allowed receiving email servers to confirm that messages originated from authorised servers.
-
DKIM (DomainKeys Identified Mail): Digital signatures were configured to allow recipient servers to verify that email content had not been altered in transit. This was a new addition for many
domains and posed minimal risk to existing operations. -
DMARC (Domain-based Message Authentication, Reporting and Conformance): A DMARC policy was added to each domain’s DNS. This policy informs receiving mail servers how to handle unauthenticated
messages.
Monitoring of DKIM on it.ox.ac.uk showed positive results, with performance exceeding expectations.
The project team offered to manage the full implementation process for any unit using Nexus365 for email. Those units were only asked to avoid making changes to the DNS records that were added.
Units not using Nexus365 were responsible for ensuring that SPF, DKIM and DMARC were correctly configured and enabled. Local IT staff (ITSS) were advised to carry out checks and make any necessary adjustments.
The implementation was coordinated to ensure all required changes were completed before the 1 February 2024 deadline, avoiding disruption to email delivery.
Support and advice were made available throughout, including guidance on specific services such as Oxmail, smtp.ox.ac.uk, maillist.ox.ac.uk and DARS (Blackbaud). Units using third-party services were encouraged to verify that those services were compliant with the new standards.
Failure to implement SPF, DKIM and DMARC would have posed a significant risk. Google could have started rejecting messages from any ox.ac.uk subdomain lacking the required validation.
Since Google treats the University’s domain as a single entity, non-compliance by any individual unit could have compromised email delivery across the entire institution.
Given the volume of messages sent daily to Google addresses, and the growing importance of email authentication in preventing spam and phishing, these changes were essential to protect the reputation and reliability of the University’s email communications.
