Wow, very surprised to see no DMARC records in place for harvard.edu or their various subdomains. It may be possible that a single DNS record could have prevented this whole madness.
A single DNS record and distributing the signing key to probably thousands of machines able to send mail, some of which are probably 30 years old and unable to do the dmarc crypto...