Domain-based Message Authentication, Reporting & Conformance (DMARC)
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication and reporting protocol that improves email security within Federal agencies. This protocol is mandated by the Department of Homeland Security (DHS) and was implemented at NSF in October 2018.
DMARC enables organizations like NSF to verify that email was sent from a trusted source rather than from bad actors such as spammers, hackers or phishers. Since NSF's implementation of DMARC, the Foundation has observed that some individuals and a few external organizations use email routing practices such as email auto-forwarding or third-party email distribution services that cause messages to be blocked from distribution because they are flagged as potentially fraudulent by DMARC protocols. This means some external recipients may not be receiving important NSF communications related to research funding actions, deadlines, and/or other important messages.
NSF, as all other federal agencies, is required to implement this standard which improves email security. In response, some universities have already communicated to their staff about DMARC and specifically about not auto-forwarding email. (Just a few of the examples include the University of Illinois, Northwestern University, Cornell University and the University of Minnesota. Click on the name of the organization to view their public communications.)
If you or your organization engage in regular email communications with NSF, please read further to learn more about potential impacts if your email is auto-forwarded. Click the link to learn more about DHS' Binding Operational Directive (BOD) 18-01.
The following Frequently Asked Questions describe DMARC in more detail. Click here for a downloadable version.
What exactly is DMARC?
DMARC is a set of requirements issued by DHS to all federal agencies and was required to be implemented by October 16, 2018. DMARC is comprised of protocols inserted into organization's IT systems to prohibit the illegitimate use of organization email. These protocols authenticate emails to ensure they are coming from a valid source. Certain email practices such as using services that authorized to send messages on behalf of an organization (e.g., Constant Contact, GovDelivery, Amazon SES) or auto-forwarding emails to secondary (non-organization) email accounts can impact message delivery since bad actors such as hackers may use similar practices.
Why is it important that I know about DMARC?
Since NSF's implementation of DMARC, the Foundation has observed that some external organizations or individuals use email routing practices (such as auto-forwarding to personal accounts) that cause messages to be blocked from distribution because they are flagged as potentially fraudulent by the required DMARC protocols. It is important for you to know that if your email is auto-forwarded to another account, such as a personal email account, you may not receive emails from NSF in that forwarded account.
How do I know if I am impacted by DMARC?
If you have been receiving NSF emails, nothing needs to be done.
If the email account at your organization or institution is configured to automatically forward emails to a third-party email service provider, such as Google or Yahoo among others, it is possible that NSF emails are not being delivered to your third-party email address. Messages that are manually forwarded are not impacted. Please verify that you are receiving NSF emails in your primary organization/institution mailbox.
If you have not received emails sent by NSF, please contact your Sponsored Research Office (SRO) so they are aware that you and others at your organization may be impacted. Please also contact the email administrator in your IT Department to tell them about your issue and ask them to confirm that current email configurations are compatible with DMARC.
Note that factors other than DMARC configurations can impact email delivery, including mistyping email addresses as well as spam and reputation filtering utilized by email providers.
Who can I contact at NSF if I have more questions?
If you have additional questions, please contact IT Help Central (ITHC) by phone at 703-292-HELP (x4357) or 800-711-8084. ITHC hours of operation are 6:00 a.m. to 7:00 p.m. You may also contact ITHC by email at ITHelpCentral@nsf.gov.