With the recent migration to CUNY Microsoft 365 (M365) for all CUNY employees at the start of the Fall 2024 semester, there have been significant changes in how our email system handles security. Many users have noticed that more emails now get stuck in their spam quarantine, and others are labeled as Unverified or External even though they appear to be sent internally by Brooklyn College. This article aims to explain these changes and provide clarity on the new email security measures.
Before Fall 2024
Prior to Fall 2024, the Brooklyn College email system was hosted on a local server, and the email security was managed by our ITS department. Managing our own email server allowed us to whitelist senders deemed safe and make exceptions for specific third-party applications and other external senders.
After Fall 2024
Microsoft 365 Migration
At the start of Fall 2024, Brooklyn College transitioned to the CUNY Microsoft 365 (M365) platform for all employee email accounts. M365 is a cloud-based email system managed by Microsoft and owned by CUNY Central. With this transition, the email security measures are now managed by CUNY Central and Microsoft, and our local college ITS department has less control over the security settings. Thus, email senders previously whitelisted or considered internal are now being flagged as external senders. Currently, all email messages sent from outside CUNY M365 are labeled as external and will display “This Message Is From an External Sender”. This includes messages from the college’s Mailchimp account used for newsletters and other communications.
Messages sent from student college email accounts to employee email accounts are also considered external, since students are not part of the employee M365 environment (this will change in the future).
Proofpoint Email Security — November 2024
In November 2024, CUNY Central activated a new email security system called Proofpoint for all college email accounts. Proofpoint uses a very aggressive filter to block spam and phishing emails but also filters messages deemed low priority. It uses advanced algorithms to determine the legitimacy of an email and can sometimes be overzealous in its blocking. To ensure users don’t miss important emails, Proofpoint sends all users an End User Digest message at least once per day, which includes a list of emails that were quarantined in both the Low Priority and Spam folders. You can review these emails in a secure sandbox, separate from your computer, and release them if they are legitimate. Check our Proofpoint guide for more information on setting up your Proofpoint account and managing your quarantined emails.
Internal vs External email messages as defined by CUNY Microsoft 365
Internal Emails
These are emails sent from one CUNY employee to another using individual email accounts or automations created within the CUNY Microsoft 365 environment. For example, when one CUNY employee sends an email to another CUNY employee from Outlook, it is considered an internal email. As of Spring 2025, emails sent from our local college email announcement systems (SEMS and STEMAS) are also considered internal.
External Emails
These are all emails sent from outside the CUNY Microsoft 365 environment, including emails sent from CUNY student email accounts to CUNY employee email accounts. A banner is added to the top of external emails:
Proofpoint Security Classifications
Low-Priority Mail – Quarantined: This folder contains low-priority emails such as newsletters, invitations, and announcements.
Spam – Quarantined: This folder contains emails marked as spam. Review these emails carefully and only release them or allow the sender if you are certain they are legitimate.
Unverified Messages
In CUNY M365, the DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol is used to verify the authenticity of incoming emails. When an email fails DMARC verification, it is labeled as Unverified. It can also end up in the Proofpoint quarantine.
DMARC helps protect email domains from being misused. It works by checking if incoming emails are really from the domain they claim to be from. If an email fails this check, DMARC can decide what to do with it, such as sending it to spam or rejecting it. This helps prevent fake emails that look like they come from trusted sources from reaching inboxes, a common tactic used in phishing attacks.