Email Security Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes expectations for the use of university email messaging services.

REASON FOR STANDARD

Email is a primary tool for academic, research, and administrative communications for all 91黑料网 (VU) community members. The cumulative amount of time spent by students, faculty, and staff on processing unwanted email represents an enormous loss of personal and institutional productivity. Improper use of email potentially exposes the University to blacklisting by various email providers and to liability under the federal CAN-SPAM Act of 2003. This standard outlines the expectations around acceptable and secure use of email by:

Establishing guidelines for the appropriate use of email,
Ensuring compliance with federal law, service 鈥渂est practices,鈥� and conformance to accepted Internet Engineering Task Force (IETF) Request for Comments (RFC) defining email protocols, security, and service discovery, and
Preserving the effectiveness of email as a communication tool.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 91黑料网 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥�).

DEFINITIONS

All Terms

Domain Name System: A system that translates a human readable domain name (e.g., www.vanderbilt.edu) to a machine-readable IP address.
Domain-based Message Authentication Reporting (DMARC): An email authentication protocol designed to protect an email domain from unauthorized use, commonly known as email spoofing.
DomainKeys Identified Mail (DKIM): An email protocol that provides encryption key and digital signature verification that an email was not forged or altered.
Email Domain: The primary name that comes after the @ symbol in an email address that indicates the organization to which the email is assigned or owned. It may also be referred to as an email account.
Email Quarantine: A intermediate location where potential spam and phishing emails are held for a period. Email quarantine can be reviewed and managed to perform downstream actions such as release or block.
Email Service: A platform used to send, receive, and review electronic mail messages.
External Email Banner: An email tag that indicates the message was sent from an external source.
Open Relay: An email server that is configured to allow anyone using the internet to send email messages through it to an internal destination.
Phishing: A malicious attempt to trick the email recipient into revealing information, such as passwords or financial information.
Reverse DNS Lookup: A Domain Name System lookup conducted by a mail server to make sure that the other mail server is who they say they are.
Sender Policy Framework (SPF): An email authentication standard that allows email domain owners to define which servers they send email from and simultaneously prevent others from sending messages on behalf of our domain.
Spam: Unsolicited and irrelevant email that are not considered malicious, such as marketing advertisements.

STANDARD

A. EMAIL ACCESS

VU email services are extended for the sole use of 91黑料网 faculty, staff, post-docs, students, and other appropriately authorized users and processes to accomplish university business. Any email address or account assigned on behalf of the university is the property of 91黑料网.

Access to VU email services is a privilege that may be wholly or partially restricted without prior notice or consent of a user when required by law or policy or when there is a reasonable suspicion that violations have occurred or may occur. 91黑料网 Information Technology (VUIT) and the Office of Cybersecurity may monitor and/or access user email if needed to prevent intrusion or to comply with legal discovery processes.

User access to VU email on a mobile device is allowed per the BYOD Standard; however, phone protections must include encryption and a screen lock that requires a password, pin, or biometric factor to gain access.

B. EMAIL USE

VU email users must comply with the Acceptable Use of Technology Assets Policy and Inappropriate Use Standard. Additionally, users must report suspected phishing to the Office of Cybersecurity. Reporting procedures can be found in the Procedures section of this standard.

91黑料网-related business must be conducted using an @vanderbilt.edu domain or subdomain. This domain is the default, approved VU email service which is centrally hosted and managed by VUIT. Standalone or external email servers are not allowed to prevent loss of institutional information and non-standard implementation of security controls. If an external mail service or other email domain is needed for legitimate business purposes, it must be justified and approved by the Office of Cybersecurity. VUIT and Cybersecurity are authorized to scan for and block unapproved email services.

Automatic, mass forwarding of email to a non-91黑料网 domain (e.g., creating a mailbox rule to automatically forward emails to a personal account) is not allowed to prevent risk of data exfiltration and issues with legal discoverability.

The Office of Cybersecurity is authorized to take appropriate mitigating actions on compromised accounts (e.g., disablement) if it introduces imminent risk to the institution. Additionally, the account owner is required to cooperate with forensic investigations and may need to apply mitigating controls such as resetting their password.

C. EMAIL SECURITY

While no security measures provide guaranteed protection, VUIT shall employ security best practices on the centrally hosted email service to prevent delivery of spam, viruses, or other mail that is a potential risk to the university鈥檚 security. Protections will include:

Security Measure	Configuration
Filtering (e.g., connection, attachment, mail flow, content)	Enabled
URL Scanning	Enabled
Email Quarantine	Enabled
External Sender Email Banner	Enabled
Open Relay Routing	Disabled
Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM)	Enabled
Domain-Based Message Authentication Reporting and Compliance (DMARC)	Enabled
Reverse DNS Lookup	Enabled
Multi-factor Authentication for Access, Where Supported	Enabled

Communications to and from the VU email service must use modern email protocols and OAuth2.0 authentication. Use of legacy protocols is not allowed (e.g., POP or any other protocol that has been discontinued or is unsupported).

		Encryption
		S/MIME, PGP/MIME	SSL/TLS 1.2	STARTTLS	Digital Certificates
Email protocol	SMTP	Preapproved	Preapproved	Preapproved	Preapproved
	IMAP	Preapproved	Preapproved	Preapproved	Preapproved
	POP	Not allowed	Not allowed	Not allowed	Not allowed

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Those seeking an exception must submit a request to the Office of Cybersecurity for evaluation and risk assessment. Based on the level of risk, requests will be granted or denied by the CISO and Chief Information Officer (CIO).

ENFORCEMENT

The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

Phishing Guidance: /cybersecurity/guidelines/phishing/
Send an Encrypted Email: /cybersecurity/guidelines/send-encrypted-email/

FREQUENTLY ASKED QUESTIONS

Can I use my personal cell phone to check and send emails?

Personal cell phones and tablets are allowed for de minimis university business such as university email and chat messaging, provided that the requirements outlined in the Device Security and Usage section are met and sensitive data is not downloaded or stored on the phone. Such transient use is permissible and pre-approved. See the BYOD Standard for more information

RELATED INFORMATION

HISTORY

Review Date	Summary of Changes
February 2025	Added a review cadence