Background
Email is widely used at the university for both academic and administrative purposes, but it may be susceptible to cyber risks such as phishing and spoofing. Information Technology Service (ITS) is enhancing email security by implementing the Domain-based Message Authentication Reporting and Conformance (DMARC) protocol. This measure is intended to help safeguard HKU members from spoofing and phishing attempts.
The adoption of DMARC protocol offers advantages, including:
- Enhanced Protection: Safeguarding against phishing, spoofing, and unauthorized access minimizes the risk of cyber threats.
- Improved Email Reliability: Ensuring that email messages originate from verified sources boosts trust in communications.
- Detailed Reporting: DMARC provides valuable insights into domain usage, enabling administrators to identify and address issues proactively.
- Industrial Email Standard: DMARC has become an established industry standard for email security, widely implemented by major service providers such as Google, Microsoft, and PayPal to mitigate phishing and spoofing threats. Furthermore, PCI DSS compliance guidelines require the adoption of robust processes and automation to protect against spoofing attacks, explicitly recommending the enforcement of DMARC policies.
Enforcement of DMARC Protocol
The DMARC policy is currently set to level of “none” (a.k.a. “p=none”) and is being used to monitor reporting and compliance for emails sent associated with the @hku.hk domain. From October 1, 2025, ITS will change DMARC in the level of “quarantine” (a.k.a. “p=quarantine”) in securing the official HKU email domains.
Before the DMARC protocol changes on October 1, 2025, HKU departments should consider the following actions:
- DMARC is built on top of DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). ITS is responsible for the management of DMARC, DKIM, and SPF
protocols for HKU official email domain (i.e. @hku.hk), and to support IT systems which are provided and managed by central IT.
• If a department uses its own email domain (e.g. @xxx.hku.hk) without specifying its own DMARC, it may inherit the policy from the official HKU domain (@hku.hk). Departments should ensure DMARC, DKIM, and SPF settings are properly configured. The following tools can assist with this: ▪ DMARC: https://mxtoolbox.com/dmarc.aspx
▪ DKIM/SPF: https://mxtoolbox.com/SuperTool.aspx
• Departments with campus network applications should connect them to the central IT email gateways, typically formatted as mail[x].hku.hk, where [x] is a single digit. Otherwise, it should use the department’s own email domain (e.g. @xxx.hku.hk).
▪ ITS will not provide support for SPF or DKIM settings related to external IT systems such as Salesforce, MailChimp, Marketo, etc., that are not hosted within the campus network or which not provided by central IT. Departments are responsible for applying for their own sub-domain (e.g., xx.hku.hk) for department’s own use. ▪ Reference: https://its.hku.hk/forms_item/cf60/
Non-conformance of DMARC Protocol
ITS will notify departments if applications within the campus network send emails using the @hku.hk domain but do not conform with the DMARC protocol. Due to DMARC limitations, we cannot notify senders outside the campus network using the “@hku.hk” domain. Departments should review their use of IT services, such as Electronic Direct Mail (EDM) or Software-as-a-Server (SaaS) platforms, that may send emails from the “@hku.hk” domain.
After October 1, 2025, departments using email address with the “@hku.hk” domain without DMARC conformance may face service disruptions, including problems sending or receiving messages. Your cooperation will help ensure a smooth transition and compliance with new security standards.
For further assistance, please contact Mr. Jerry Tam at (jerryjt@hku.hk) or Mr. Glasz Yiu at (glaszy8@hku.hk).