You signed up for an account but never received the confirmation email. You sent a newsletter, but your customers say they didn’t get it. You know you should check your junk or spam folder, but why? Why do legitimate emails wind up in the junk heap?

Phishing scams account for nearly 22 percent of all data breaches that occur, according to the FBI’s 2021 IC3 Report. Given the danger, companies are taking more and more precautions to protect themselves from attack. One tool the University is using is email authentication.

What is email authentication?

Email authentication helps verify the origin of a message; whether it comes from a trustworthy source or has been faked or forged by someone pretending to be someone they are not. The three authentication methods are SPF, DKIM, and DMARC. If a message can be authenticated with these, it is more likely to get to your inbox. But if authentication is missing or improperly set up, an email provider’s red flags will immediately go up, which can lead to emails landing in your spam folder—or not being delivered at all.

When is it happening?

These authentication protocols have been around for years but not broadly implemented. In 2024, Google announced it would begin enforcing these rules and marking more emails as spam, and eventually not delivering it at all. Yahoo and other large email providers followed suit.

As these commercial email providers have continued to increase enforcement, institutions like the University of Rochester are also beginning to do so. After an 18-month project to prepare our environment, enforcement will begin in the coming months.

What can I do?

If you are sending an email, make sure you are following the rules. Email from user@rochester.edu or user@urmc.rochester.edu can only be sent from the University of Rochester’s official mail systems. If you are using a third party to send mail, like MailChimp or Constant Contact, you have to use an email address that ends in notices.rochester.edu. (Rules are slightly different for schools like Simon or SON who have their own domain.) If you need help making this transition, contact the Help Desk.

Failing authentication protocols is not the only reason the email you sent went to someone’s spam folder. For example, Google will send it to spam if enough people tagged a similar message as spam. Follow these guidelines from Google to improve the chances of your email being delivered. Remember, if it looks like spam, someone might tag it as spam.

If you are receiving email, be a good citizen of the internet and use the unsubscribe and spam/junk buttons appropriately. If you signed up with a company and they send you an email, that is not spam. Unsubscribe instead. Emails that you never asked for should be marked as spam. That will help the email system learn, and it can better filter in the future.

Better email hygiene helps everyone, at work and in your personal life. While the transition to these new rules may be bumpy, protecting ourselves from fraud is worth the effort.