Re: Third-party external services using your email domain

["Blackstone, Chris" <0000004bdf040758-dmarc-request () LISTSERV EDUCAUSE EDU>]

Similarly, we have multiple sub-domains

Advancement.arbor.edu - Used for advancement marketing emails
Admissions.arbor.edu - used for admissions marketing emails
Send.arbor.edu - used for notification emails from systems like StatusPage.io

I have specifically NOT whitelisted domains that send AS @arbor.edu, and we also reject emails that fail DMARC. I had 
to work with multiple groups on campus to coordinate all of this but it has proven beneficial, if for nothing else it 
let us know just how many groups were using @arbor.edu addresses when sending marketing email and the like.

I would also encourage you to use a DMARC analysis service to get a sense of who is sending as you right now. We 
started with DMARCAnalyzer (https://www.dmarcanalyzer.com/) and now use Barracuda's Sentinel product.

Tightening up your SPF record will help a lot as well.

Chris
 
--
Chris Blackstone
Chief Information Officer
Spring Arbor University
517-750-6406
http://www.arbor.edu 
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.arbor.edu%2F&data=02%7C01%7COLSRV.EXMF.WW.00.EN.WIP.BOM.TS.T01.SPT.ST.EM%40css.one.microsoft.com%7Cbe53ab64e0cc45591a3308d501ecd1da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636417039079773104&sdata=hMeSBIGP1oGR5hFG26BJkRaUxWIuPbVAr2RuoBXLulk%3D&reserved=0>
 
Schedule a meeting with me at https://calendly.com/chrisblackstone
 
 
On 1/23/18, 5:54 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Rob Milman" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of rob.milman () SAIT CA> wrote:

    Hi Thomas,
    
    We went through this last year. As much as I don't like to take advice from Microsoft, they actually put together 
some good advice on this very subject. 
https://blogs.msdn.microsoft.com/tzink/2015/03/13/how-to-align-with-spf-and-dmarc-for-your-domain-if-you-use-a-lot-of-3rd-parties-to-send-email-as-you/
    
    We ended up creating a sub-domain to reduce our risk exposure. It has worked well so far with at least 2 other mail 
vendors.
    
    Regards,
    
    Rob Milman
    Associate Director, Information Security
    Information Systems
    
    Southern Alberta Institute of Technology
    EH Crandell Building, GA 214
    1301 - 16 Avenue NW, Calgary AB, T2M 0L4
    
    (Office) 403.774.5401  (Cell) 403.606.3173
    rob.milman () sait ca
    
    
    
    
    -----Original Message-----
    From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Thomas Carter
    Sent: Tuesday, January 23, 2018 3:43 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU
    Subject: [SECURITY] Third-party external services using your email domain
    
    We're seeing an increasing number of requests for using external services to send emails to internal recipients and 
wanting to use our "@austincollege.edu" domain as the sender and reply-to. They also want to make sure our spam filters 
do not catch these emails as spam. We can whitelist the sending server(s), but more services are using large mail 
vendors like MailChimp. We can white list the specific sender, but some are wanting to use valid addresses (for 
example, "hr () austincollege edu") and whitelisting those can lead to easier phishing.
    
    Do you allow external services to send using your domain? How are you handling these type of emails?
    
    Thomas Carter
    Network & Operations Manager / IT
    Austin College
    900 North Grand Avenue 
    Sherman, TX 75090
    Phone: 903-813-2564
    www.austincollege.edu