Email security improvements may affect email marketing

Dear Colleagues,

Due to an increasing number of email phishing campaigns targeting the Harvard community, Harvard University Information Technology (HUIT) will implement Sender Policy Framework email authentication (SPF) to the Harvard email system on Thursday, August 15th, 2019.

 What is Sender Policy Framework (SPF)?

Sender Policy Framework (SPF) is an email authentication protocol that provides email system owners control over which email servers are authorized to send email on their behalf. ​

Benefits to Our User Community:
1. Increase email security by identifying emails that originate from invalid sources and either preventing them from being delivered, or appending a warning message to the beginning of the message.
2. Protect the Harvard brand by helping Internet Service Providers determine whether emails claiming to be from Harvard email addresses are valid.

Impacts to Our User Community: ​

On August 15th, 2019, any email message that appears to be sent from Harvard that cannot be validated may have a message similar to the one below added to the email warning that the sender may not be valid.​

WARNING: Recipient’s email systems could not validate that the sender of this message is legitimate. Please be cautious in opening attachments, clicking any links, or following any other instructions in this email. This message was automatically added by recipient’s email systems because of an SPF Hard Failure/Soft Failure/Temporary Failure/ Permanent Error]

Some email systems may even mark the email as spam or delete the email. This is particularly important to Harvard groups who use CRM, email marketing, survey tools, and any other web service that sends email on behalf of the school using an email address. These services, such as MailChimp and Constant Contact, send email on behalf of Harvard from their own servers – not Harvard’s. HUIT has already “white listed” the services listed below which means even though these services are outside of Harvard they will be trusted.

If you use any email service/system not listed below for communication or campaigns, please send a ticket to the Help Desk at by Tuesday, August 13, 2019. Those services will be added to the whitelist.

  • AWS
  • AudienceView
  • Constant Contact
  • Docebo
  • Everbridge
  • ExactTarget
  • Explorance
  • Emma email marketing
  • Google
  • HubSpot CRM
  • Insightly CRM
  • MailChimp
  • Mandrill
  • O365
  • Pardot
  • PG Surveying
  • Predictive Response
  • Qualtrics
  • Saba Cloud
  • Salesforce
  • SilverPop
  • Televox

Please let me know if you have any questions or concerns.

Thank you.
Matt Ronn,  Director of Infrastructure Services
Department of Information Technology