Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email and cloud services

From: Patrick McElhinney <patrick.mcelhinney () NEWCASTLE EDU AU>
Date: Sun, 13 May 2018 23:53:22 +0000
This is the same approach that we are using.  There is a logical limit to the size of an SPF record which led us to 
implementing multiple SPF records for various subdomains based on the services being implemented.  This site is a great 
resource for planning and checking your own SPF records - https://dmarcian.com/spf-survey

You need to be careful about the distinction between trusting email from a given service\IP, and the use of SPF to 
detect spoofing activities.  You should avoid trusting email, even from domains under your own controls, given the 
volume of phishing activities constantly at play.  Even if an email passes SPF, you still need to ensure that other 
controls are in place to detect otherwise malicious emails.

Cheers,  Patrick


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dan Oachs
Sent: Saturday, 12 May 2018 7:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Email and cloud services


My first reaction is to push back and ask them to use their own domain for sending email.

When forced to do this, we try to create a subdomain for them and add spf / dkim to it.  It is not perfect but much 
better than adding a billion IP addresses to the spf records of your primary domain.
    --Dan Oachs

On 05/11/2018 04:02 PM, Thomas Carter wrote:
With the increase in outsourced solutions across campus, there is a related increase in requests for updates to our SPF 
records for outgoing emails and whitelisting for incoming emails. However, many of these vendors turn around and use an 
email service for the sending meaning we're being asked to whitelist or add to SPF records for these large email and 
marketing firms. For example, we were recently asked by a SaaS vendor to whitelist all emails from Amazon SES, and 
another vendor asked us to add an SPF entry for a generic email marketing firm (of which we already have some). 
Unfortunately these requests happen after the contracts are signed and we are just asked to "make it work." My concern 
is we only have a contract with one customer of the email service, and any other customer of theirs is now either 
whitelisted or included in our SPF.

What are your views and policies around this type of email security issues? How do you handle them (grit your teeth and 
bare it, push back on the vendor, or?) ?  Any other thoughts or words of wisdom?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>
Previous By Date Next
Previous By Thread Next

Current thread: