Re: Third-party external services using your email domain

[Rob Milman <rob.milman () SAIT CA>]

Hi Thomas,

We went through this last year. As much as I don't like to take advice from Microsoft, they actually put together some 
good advice on this very subject. 
https://blogs.msdn.microsoft.com/tzink/2015/03/13/how-to-align-with-spf-and-dmarc-for-your-domain-if-you-use-a-lot-of-3rd-parties-to-send-email-as-you/

We ended up creating a sub-domain to reduce our risk exposure. It has worked well so far with at least 2 other mail 
vendors.

Regards,

Rob Milman
Associate Director, Information Security
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 - 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Tuesday, January 23, 2018 3:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Third-party external services using your email domain

We're seeing an increasing number of requests for using external services to send emails to internal recipients and 
wanting to use our "@austincollege.edu" domain as the sender and reply-to. They also want to make sure our spam filters 
do not catch these emails as spam. We can whitelist the sending server(s), but more services are using large mail 
vendors like MailChimp. We can white list the specific sender, but some are wanting to use valid addresses (for 
example, "hr () austincollege edu") and whitelisting those can lead to easier phishing.

Do you allow external services to send using your domain? How are you handling these type of emails?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue 
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu