University email: security, authentication, and privacy

The university email system is now reliable and well-regulated. Unlike the early days of electronic mail, which was created as an open system without verification mechanisms, technological advancements have introduced automatic sender verification, communication encryption, and continuous monitoring systems:

  • The sender is automatically verified.
  • The content is protected during transmission.
  • Access to the content is regulated.

The system administrator does not have unrestricted access to users’ emails but can only access them following explicit authorizations and official requests.

While providing adequate security guarantees for everyday use, email is not a certified tool for exchanging highly sensitive documents, for which dedicated solutions are available.

No. Modern email systems use sender authentication, transport encryption, and automatic controls against abuse and forgery.

Yes. Mail servers verify the sender domain’s authenticity using standard mechanisms provided by the new SPF, DKIM, and DMARC protocols, which are active on the Politecnico’s email system.

Automatic forwarding transfers messages outside the university infrastructure. In this case:

  • Messages are no longer subject to the university’s security and retention policies.
  • The content is managed according to the rules of the external provider.
  • The control, audit, and protection guarantees offered by Exchange Online no longer apply.

Therefore, forwarding to external mailboxes is not recommended for institutional communications and may have implications in terms of confidentiality and regulatory compliance.

Yes, during transport between servers, using encrypted connections (TLS). By default, email is not end-to-end encrypted.

Only the sender and recipient can access the email. Additional access is allowed solely in authorized and logged cases for legal or security purposes.

No. In Exchange Online, access to content requires specific permissions and is always subject to logging and auditing.

It is very difficult. Institutional domain DMARC policies block unauthorized sending and spoofing attempts.

No, not without being detected. DKIM signatures ensure the integrity of the message.

For ordinary communications, yes. For highly sensitive data, tools with end-to-end encryption are recommended.

Technical sheet – sender authentication

 
icona di mail

SPF (Sender Policy Framework)

It defines which servers are authorized to send emails for a domain.

 
icona di mail

DKIM (DomainKeys Identified Mail)

It applies a cryptographic signature to the message to ensure its integrity.

 
icona di mail

DMARC (Domain-based Message Authentication, Reporting & Conformance)

It defines how to handle messages that fail SPF and DKIM checks and allows for abuse monitoring.

Who is intended for

 
icona docenti

Faculty

 
icona personale tecnico amministrativo bibliotecario

Technical, administrative, and library staff

 
icona studenti

Students