Re: Email and cloud services

[Dan Oachs <doachs () GAC EDU>]

My first reaction is to push back and ask them to use their own domain 
for sending email.

When forced to do this, we try to create a subdomain for them and add 
spf / dkim to it.  It is not perfect but much better than adding a 
billion IP addresses to the spf records of your primary domain.

    --Dan Oachs


On 05/11/2018 04:02 PM, Thomas Carter wrote:
> With the increase in outsourced solutions across campus, there is a 
> related increase in requests for updates to our SPF records for 
> outgoing emails and whitelisting for incoming emails. However, many of 
> these vendors turn around and use an email service for the sending 
> meaning we’re being asked to whitelist or add to SPF records for these 
> large email and marketing firms. For example, we were recently asked 
> by a SaaS vendor to whitelist all emails from Amazon SES, and another 
> vendor asked us to add an SPF entry for a generic email marketing firm 
> (of which we already have some). Unfortunately these requests happen 
> after the contracts are signed and we are just asked to “make it 
> work.” My concern is we only have a contract with one customer of the 
> email service, and any other customer of theirs is now either 
> whitelisted or included in our SPF.
>
> What are your views and policies around this type of email security 
> issues? How do you handle them (grit your teeth and bare it, push back 
> on the vendor, or?) ? Any other thoughts or words of wisdom?
>
> *Thomas Carter*
> Network & Operations Manager / IT
>
> *Austin College*
> 900 North Grand Avenue
> Sherman, TX 75090
>
> Phone: 903-813-2564
> www.austincollege.edu <http://www.austincollege.edu/>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature