Symptom
You received an email message that appears like this:
| osu.edu couldn't confirm that your message was sent from a trusted location. |
| your name.n |
Office 365 |
your name.n |
| Action Required |
|
Recipient |
| |
|
|
| SPF validation error |
|
|
|
| How to Fix It |
| Your organization's email admin will have to diagnose and fix your domain's email settings. Please forward this message to your email admin. |
|
Cause
This is caused by efforts on the part of the email sender to prevent email spoofing and it occurs when email is forwarded from OSU for delivery on some other system, such as Gmail, Yahoo, and others.
Affects
Anyone forwarding email to systems outside OSU, including Lifetime Email Forwarding Service (LEFS) and name.n@osu.edu forwarding.
Solution
- Stop forwarding and read email on OSU's email system, or
- Accept that emails from certain senders, such as DocuSign, will not be delivered
Background information
Email spoofing is where a message appears to originate from a sender who did not send the message. Spoofing is frequently used in spamming and phishing, so it is valuable for the recipient of an email message to be confident that an email appearing to come from a trusted source, such as a bank, or Docusign, is actually from that trusted source. Email senders and email services, such as Gmail, Yahoo, and others, have come together to develop a set of standards to help determine when a message is not from where it claims to be from. These standards are called SPF (Sender Policy Framework) and DMARC.(Domain-based Message Authentication, Reporting & Conformance). These standards allow a sender to tell the receiving email services what to do if a message arrives, claiming to be from the sender, but not actually received directly from the sender. In most cases, the receiving system is instructed to
reject any such email messages.
A sender telling a receiving system to reject email messages not received directly from the sender is a problem at OSU, because OSU allows individuals to forward email received on our system to some other system for delivery. That forward means that the receiving system gets email delivered via OSU, and not directly from the actual sender. The error message in the
symptom section is produced when OSU attempts to deliver a message to another receiving system, such as Gmail, Yahoo, and others, but that receiving system rejects the message due to SPF/DMARC rules set by the sender.
There is nothing that an intermediary forwarding system, such as OSU can do about this. There are no allowances in the anti-spoofing standards for services such as our Lifetime Email Forwarding Service (LEFS), or our name.n@osu.edu forwarding. So, the only solutions are to stop forwarding email to non-OSU systems, or to accept that some messages will not be delivered.
The Office of the CIO has published a list of services that use SPF/DMARC, which can be seen
here. An important OSU partner that uses SPF/DMARC is DocuSign, so messages from DocuSign will either produce the error message in the
symptom section, or no message at all, if the email is forwarded to an email system outside OSU. If your job duties include the use of DocuSign, you may wish to consider using OSU's email system, or regularly log in to DocuSign to check to see if there are items from for you to sign.