Educause Security Discussion mailing list archives
Re: Email and cloud services
From: Patrick McElhinney <patrick.mcelhinney () NEWCASTLE EDU AU>
Date: Sun, 13 May 2018 23:53:22 +0000
This is the same approach that we are using. There is a logical limit to the size of an SPF record which led us to implementing multiple SPF records for various subdomains based on the services being implemented. This site is a great resource for planning and checking your own SPF records - https://dmarcian.com/spf-survey You need to be careful about the distinction between trusting email from a given service\IP, and the use of SPF to detect spoofing activities. You should avoid trusting email, even from domains under your own controls, given the volume of phishing activities constantly at play. Even if an email passes SPF, you still need to ensure that other controls are in place to detect otherwise malicious emails. Cheers, Patrick From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dan Oachs Sent: Saturday, 12 May 2018 7:17 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Email and cloud services My first reaction is to push back and ask them to use their own domain for sending email. When forced to do this, we try to create a subdomain for them and add spf / dkim to it. It is not perfect but much better than adding a billion IP addresses to the spf records of your primary domain. --Dan Oachs On 05/11/2018 04:02 PM, Thomas Carter wrote: With the increase in outsourced solutions across campus, there is a related increase in requests for updates to our SPF records for outgoing emails and whitelisting for incoming emails. However, many of these vendors turn around and use an email service for the sending meaning we're being asked to whitelist or add to SPF records for these large email and marketing firms. For example, we were recently asked by a SaaS vendor to whitelist all emails from Amazon SES, and another vendor asked us to add an SPF entry for a generic email marketing firm (of which we already have some). Unfortunately these requests happen after the contracts are signed and we are just asked to "make it work." My concern is we only have a contract with one customer of the email service, and any other customer of theirs is now either whitelisted or included in our SPF. What are your views and policies around this type of email security issues? How do you handle them (grit your teeth and bare it, push back on the vendor, or?) ? Any other thoughts or words of wisdom? Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/>
Current thread:
- Email and cloud services Thomas Carter (May 11)
- Re: Email and cloud services Dan Oachs (May 11)
- Re: Email and cloud services Patrick McElhinney (May 13)
- Re: Email and cloud services Dan Oachs (May 11)