Educause Security Discussion mailing list archives

Re: E-Mail Whitelisting and Junk Filtering Policies

From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Fri, 10 Feb 2017 20:02:19 +0000

Great thank you!  Thanks to others who have replied here and directly.  It sounds like a lot of us share these same 
challenges.

It would be good to hear specific criteria you are using to categorize these domains as well.

Thanks,

Chris



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Milman
Sent: Friday, February 10, 2017 1:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] E-Mail Whitelisting and Junk Filtering Policies

Had to look at all my sent items this week (did I really send that much e-mail?)

https://blogs.msdn.microsoft.com/tzink/2015/03/13/how-to-align-with-spf-and-dmarc-for-your-domain-if-you-use-a-lot-of-3rd-parties-to-send-email-as-you/

Rob

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hart, 
Mike
Sent: Friday, February 10, 2017 12:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] E-Mail Whitelisting and Junk Filtering Policies

If you can share that MSDN article with me as well, I'd appreciate it.  This is an issue with our community as well.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Milman
Sent: Friday, February 10, 2017 12:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] E-Mail Whitelisting and Junk Filtering Policies

Hi Chris,

Great timing, we are currently dealing with a request from one of our department to allow a third-party to send as our 
domain. We came up with a solution to reduce our risk based on advice from Microsoft's MSDN site. What we have proposed 
is to make a sub-domain under our root domain specifically for third-parties wishing to send as our domain.

We feel this will reduce the risk of us getting put on a blacklist should the third-party have some unintended issue 
happen. It also make it easier to turn off from our side, if the relationship is severed.

Hopefully, that helps a little. If I could find the MSDN article again, I'd send you a link to it as it covers off some 
other security considerations too.

Regards,

Rob

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, 
Christopher S.
Sent: Friday, February 10, 2017 9:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] E-Mail Whitelisting and Junk Filtering Policies

Does anyone have a policy or methodology they use for determining which e-mail domains that they allow to send as the 
university's domain, which are whitelisted from being blocked by spam and junk mail filters, and which are treated as 
anyone else coming from outside the university?

As we have migrated to Office365 and moved our mail routing through Microsoft, we are revisiting this topic.   
Microsoft's Office365 Junk mail function is working well.  However, some "legitimate" systems and provider e-mails are 
now being flagged as potentially junk or being moved right to the junk mail folder.  We are getting requests from 
various stakeholders on campus to exempt their e-mails from Junk (and Clutter as well).

For example, we use third party systems for purchasing, HR onboarding, room scheduling and several others.  We also 
have various organizations on campus such as a student run journalism group that use 3rd party services.  Various 
survey services often fall into this category as well, some of which are more official than others.

We haven't had a consistent policy or process for which e-mail services and domains will be allowed to send as the 
university's domain, which should be whitelisted from junk mail filtering, and which are treated as an external entity. 
 As a result some services have been allowed to send as the university that probably shouldn't, and we've been making 
case by case decisions to determine which services/domains (if any) should be exempted from junk mail filtering.

We're considering an updated approach with four levels something like this...

Level 1 - Whitelisted from Junk and Clutter, and allowed to send as St. Thomas domain.  Highly restricted to only 
critical external facing services.

Level 2 - Whitelisted from Junk and Clutter but not allowed to send as St. Thomas domain.  Restricted to approved 
enterprise level systems providing services to campus.

Level 3 - All others, subject to normal O365 junk mail and Clutter (soon to be Focused Inbox) rules

Level 4 - Known bad domains, e-mail actively blocked

Does anyone have something that is working well that they would be willing to share?  Or feedback on our plan?

Thank you in advance,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
University of St. Thomas | stthomas.edu<https://www.stthomas.edu>






[http://static.stthomas.edu/email/disclaimer-logo.png]<http://www.stthomas.edu/e>

Current thread:

E-Mail Whitelisting and Junk Filtering Policies Gregg, Christopher S. (Feb 10)
- Re: E-Mail Whitelisting and Junk Filtering Policies Rob Milman (Feb 10)
  - Re: E-Mail Whitelisting and Junk Filtering Policies Hart, Mike (Feb 10)
    - Re: E-Mail Whitelisting and Junk Filtering Policies Rob Milman (Feb 10)
    - Re: E-Mail Whitelisting and Junk Filtering Policies Hart, Mike (Feb 10)
    - Re: E-Mail Whitelisting and Junk Filtering Policies Gregg, Christopher S. (Feb 10)