Email and cloud services

[Thomas Carter <tcarter () AUSTINCOLLEGE EDU>]

With the increase in outsourced solutions across campus, there is a related increase in requests for updates to our SPF 
records for outgoing emails and whitelisting for incoming emails. However, many of these vendors turn around and use an 
email service for the sending meaning we're being asked to whitelist or add to SPF records for these large email and 
marketing firms. For example, we were recently asked by a SaaS vendor to whitelist all emails from Amazon SES, and 
another vendor asked us to add an SPF entry for a generic email marketing firm (of which we already have some). 
Unfortunately these requests happen after the contracts are signed and we are just asked to "make it work." My concern 
is we only have a contract with one customer of the email service, and any other customer of theirs is now either 
whitelisted or included in our SPF.

What are your views and policies around this type of email security issues? How do you handle them (grit your teeth and 
bare it, push back on the vendor, or?) ?  Any other thoughts or words of wisdom?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>