As you approach the upcoming ceremony season, it’s crucial to address a significant change in email policies that could impact your email communications to graduates from the Tassel Hub. Google, Yahoo, and Microsoft have strict email policies aimed at combating spam and spoofing.

It mandates the authentication of every domain using SPF, DKIM, and DMARC protocols, directly affecting how emails from Tassel reach your student body. If your domain isn’t fully verified, this could significantly hinder your email deliverability ahead of commencement.

To avoid any communication disruptions, please follow our step-by-step domain verification guide below.

Email domains sent from the Tassel platform must be authenticated and steps taken to ensure nothing within your system will block the emails or send them to spam.

All emails sent from your school via the Tassel platform must come from one of your schools domains. For example, emails need to come from an @<your_domain>.edu address. To do this, you will need to complete the following steps:

Add or modify DNS Records for the domain you will be sending emails from. For example, if you are sending emails from grads@university.com, the domain would be “university.com”.

Sender Policy Framework (SPF) Record

Our Email Service Provider (ESP) has assigned us a dedicated IP address, 176.31.145.254. All email sent from the Tassel site will originate from this IP Address.

If there is already an SPF record for your sending domain (<your_domain>.edu)
Please add: ip4:176.31.145.254 to the existing SPF record.
Also add include (optional):_spf.elasticemail.com to the existing SPF record.

If your SPF Record is full, you may choose to use a subdomain. More information available below

If there is not already an SPF record for the sending domain, please add the following SPF record. For this example, we are using a subdomain, as most primary domains will already have an SPF record:

Name: subdomain.<your_domain>.edu

Value: v=spf1 ip4:176.31.145.254

(optional) include: _spf.elasticemail.com ~ALL

DomainKeys Identified Mail (DKIM)

Add a DKIM record (TXT record) of the public key so that the From domain can sign emails with DKIM for security and deliverability purposes. The d= domain would be the From domain. The selector will be “api._domainkey” in all cases.

Name (if using primary domain): api._domainkey.<your_domain>.edu

Or, if using a subdomain: api._domainkey.subdomain.<your_domain>.edu

Value: when you are ready, email techsupport@tassel.com for the DKIM key.

Domain-based Message Authentication Reporting & Conformance(DMARC)

Option A
Setup your DMARC policy with a simple, most common DMARC record. You will not receive any reports with this setup.
Host/Name:_dmarc
Value: v=DMARC1;p=none;

Option B
This setup will include reports. The DMARC Reports will come to the email you specify in ruf= and rua= parameters. If you do not wish to receive them anymore, remove these parameters (Similar to Option 1).

When you no longer receive negative reports, change your DMARC policy to quarantine which will not necessarily bounce email, but indicate to the recipient server they should consider quarantining it (junk or spam folder).
Host/Name:_dmarc
Value: v=DMARC1; p=quarantine; ruf=mailto:youremail@yourdomain.com; rua=mailto:youremail@yourdomain.com
ruf – Forensic (failure) reports
rua – Aggregate reports

Option C
Another option with reports included. When you are satisfied that you are validating all the email from your domain(s) with SPF and DKIM, change the policy to reject which will bounce the emails that do not pass SPF and DKIM validation.
Host/Name:_dmarc
Value: v=DMARC1; p=reject; ruf=mailto:youremail@yourdomain.com; rua=mailto:youremail@yourdomain.com
Please click here to view a list of the most popular tags available for your DMARC policy as above are only examples.

Elastic Email “tracks” opens, clicks, unsubscribes, etc. on sent emails. This tracking will also show on email records in your Tassel Hub.

To do this, Elastic must rewrite links and use web pages. Setting up a “tracking domain” brands these rewritten links and pages with your own domain.

Create a CNAME record. Enter:
Host/Name: tracking
Value: api.elasticemail.com

Notify Tassel of the sending domain so that it may be added and verified in the system.

Send the sending domain (your_domain.edu) to your CSM for verification. Your CSM will let you know if verification was successful.

Please note that once an SPF/DKIM record has been updated, it may take up to 48 hours for the settings to propagate.

‍

If your SPF record is full, you may opt to use a subdomain to add a new SPF record as listed above, any replies back to that email address (e.g. commencement@subdomain.<your_domain>.edu) will need to be received by the sending, party, such as the Commencement Office.

One option to achieve this would be for local IT departments to set up forwarding from the subdomain to the email inbox of the primary domain. Another would be for the affected office to be given an inbox where they can send and receive mail using the subdomain email address.

Using an SPF Macro to complete the above DNS record changes is currently not recommended. While an SPF Marco can be verified, it may take up to 10 business days to complete verification. Tassel highly recommends completing the DNS settings as instructed above with either your main or subdomain.

If you are unable to add SPF/DKIM Records, please reach out to your Customer Success Manager for assistance creating a specialized domain for your school.

Note Regarding DMARC compliance:
Our objective is to follow best practices for email security and delivery and be in full compliance with the DMARC standards. To ensure that your setup complies with the updated DMARC policies enacted by Google and Yahoo on February 1, 2024, the above steps must be completed.