E-Mail Whitelisting and Junk Filtering Policies

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

Does anyone have a policy or methodology they use for determining which e-mail domains that they allow to send as the 
university's domain, which are whitelisted from being blocked by spam and junk mail filters, and which are treated as 
anyone else coming from outside the university?

As we have migrated to Office365 and moved our mail routing through Microsoft, we are revisiting this topic.   
Microsoft's Office365 Junk mail function is working well.  However, some "legitimate" systems and provider e-mails are 
now being flagged as potentially junk or being moved right to the junk mail folder.  We are getting requests from 
various stakeholders on campus to exempt their e-mails from Junk (and Clutter as well).

For example, we use third party systems for purchasing, HR onboarding, room scheduling and several others.  We also 
have various organizations on campus such as a student run journalism group that use 3rd party services.  Various 
survey services often fall into this category as well, some of which are more official than others.

We haven't had a consistent policy or process for which e-mail services and domains will be allowed to send as the 
university's domain, which should be whitelisted from junk mail filtering, and which are treated as an external entity. 
 As a result some services have been allowed to send as the university that probably shouldn't, and we've been making 
case by case decisions to determine which services/domains (if any) should be exempted from junk mail filtering.

We're considering an updated approach with four levels something like this...

Level 1 - Whitelisted from Junk and Clutter, and allowed to send as St. Thomas domain.  Highly restricted to only 
critical external facing services.

Level 2 - Whitelisted from Junk and Clutter but not allowed to send as St. Thomas domain.  Restricted to approved 
enterprise level systems providing services to campus.

Level 3 - All others, subject to normal O365 junk mail and Clutter (soon to be Focused Inbox) rules

Level 4 - Known bad domains, e-mail actively blocked

Does anyone have something that is working well that they would be willing to share?  Or feedback on our plan?

Thank you in advance,

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>






[University of St. Thomas : All for the Common Good]<http://www.stthomas.edu/e>