Security Requirements for Bulk Senders

Industry-leading email service providers, like Google and Yahoo, recently announced updated requirements for bulk senders to enhance security, reduce spam, and increase customer satisfaction.

What does this mean for me?

If you regularly send emails to large groups, look for the tool(s) you use below to learn how these new requirements may impact you. 

Mailman, Mass Mail, and other internal tools

Computing services validated that all internal tools met the new requirements. Senders should not notice a change.

Salesforce Marketing Cloud

University Advancement

Computing Services worked with University Advancement to validate that their primary instance met the new sender requirements. Senders should not notice a change.

CMU Works

Computing Services worked with the Office of Human Resources to validate that their primary instance met the new sender requirements. Senders should not notice a change.

Other Instances

If you use another instance, work with your vendor’s support resources to ensure you adhere to the new security requirements.

Constant Contact

andrew.cmu.edu Domain

Computing Services worked with Constant Contact to authenticate our domain, andrew.cmu.edu. If you send using this domain, you shouldn’t notice a change. You do not need to follow the instructions on Constant Contact’s website to set up DKIM authentication.

Other Domains

If you send from another domain (e.g. cylab.cmu.edu), email it-help@cmu.edu. Computing Services will work with you to authenticate your domain.

Check for ccsend.com domains

Constant Contact automatically changed the default email address of some andrew.cmu.edu senders to a shared2.ccsend.com domain. To remove this address:

1. Log in to constantcontact.com
2. Click your account name and the Account Settings
3. Scroll down to locate your email addresses.
4. If you have a ccsend.com address in addition to your andrew.cmu.edu address, click the three-dot menu near the ccsend.com address and select Delete.

MailChimp

andrew.cmu.edu Domain

Computing Services verified that MailChimp automatically authenticated andrew.cmu.edu. If you send using this domain, you shouldn’t notice a change. 

Other Domains

If you send from another domain (e.g. cylab.cmu.edu), email it-help@cmu.edu. Computing Services will work with you to authenticate your domain.

Qualtrics

Computing Services worked with Institutional Research and Analysis to validate that all primary instances met the new sender requirements. Qualtrics sends should not notice a change.

Slate

Computing Services and Enrollment Management validated that the Enrollment Management Slate instance met the new sender requirements. Slate senders in Enrollment Management should not notice a change.

If you use a Slate instance outside of Enrollment Management, visit your Slate Admin console to verify that your DKIM authentication is updated, and work with Technolutions Support as needed.

CMU-Alert (Rave)

Computing Services is collaborating with Enterprise Risk Management and Rave Support to ensure that the CMU-Alert service adheres to the new sender requirements. Check back soon for more information.

Workday

Computing Services worked with the Office of Human Resources to validate that Workday met the new sender requirements. Workday senders should not notice a change.

Frequently Asked Questions

What are the new security requirements?

Bulk senders must now:

• Authenticate their email via industry standard methods (e.g. SPF, DKIM, and DMARC)
• Enable easy unsubscription, ideally with just one click
• Ensure they’re sending wanted email by staying below a spam-rate threshold

Look for the tool you use above to learn how these requirements may impact you. We’ve configured most tools to meet these requirements already, so you shouldn’t notice a change.

Do these requirements apply to emails sent to CMU community members?

According to Google, these new guidelines do not apply to messages sent to CMU community members using their Google Workspace for Education account (@andrew.cmu.edu or @cmu.edu).

Senders must only consider these email requirements when sending to personal Google Mail, Yahoo, and other industry email platforms that are implementing these changes.

What happens if I don’t follow these requirements?

Look for the tool you use above to learn how these requirements may impact you. We’ve configured most tools to meet these requirements already, so you shouldn’t have to worry.

If you send email using a service other than those listed above and cannot verify that you’ve met the new security requirements, your messages may be rejected or delivered to a recipient’s spam folder. 

When Google rejects a message, you will receive a rejection code with a justification.

I only send emails to small groups. Do these changes apply to me?

While industry-leading email providers like Google and Yahoo currently only target bulk senders, these security requirements may expand to all email senders over time.

As you have time, find the tool you use above to learn how these requirements may impact you. We’ve configured most tools to meet these new requirements already, so you shouldn’t notice a change.

I don't see information about the email tool I use. What should I do?

If you don’t see information about the tool you use listed on this page, please review the documentation provided by your bulk email tool. If you have additional questions, email the Computing Services Help Center at it-help@cmu.edu.