STN-3000.03: Supported Email Services for Applications and Devices

STANDARD SUMMARY

Intended Audience: Information Technology Personnel, Application Owners, Procurement and Contracts Personnel, External Software Vendors
Standard Owner: Associate Director of Enterprise Infrastructure Services

Information Technology Services (ITS) supports several methods for allowing applications and devices to securely send email, and to help improve the odds of successful delivery. Technologies include:

On-Campus Simple Mail Transfer Protocol (SMTP) Relay
Authenticated SMTP Relay for Cloud Applications
Spam Filter Bypass List
Authenticated Email via Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)

Western Washington University is a customer of Microsoft’s email services and is subject to Microsoft’s service and infrastructure limitations.

For the complete standard, click “Full Document” tab at top of page.

FULL DOCUMENT

1. Definitions

Simple Mail Transfer Protocol (SMTP)	SMTP is an open protocol used for transmitting email over the Internet. It ensures compatibility between clients and email servers as well as between email servers.
Mail Domain	The address that comes after the “@” symbol in an email address. The University administers several mail domains, including wwu.edu, *.vendor.wwu.edu, and wwu2.onmicrosoft.com.
Spoofing	Spoofing occurs when an email message has been manipulated to make it appear as if it came from a different sender or mail domain. Spoofing can be done legitimately and intentionally by a vendor to give emails a “friendlier” appearance, but spoofing is also done by scammers who are trying to conceal their identity.
Sender Policy Framework (SPF)	SPF is a method of verifying that an email came from a legitimate source. Western publishes SPF records identifying who is allowed to send email from our “vendor.wwu.edu” email domain. When receiving an email from a “vendor.wwu.edu” address, client email software checks the published list, and if the sender is on the list, the email is less likely to be categorized as spam.
DomainKeys Identified Mail (DKIM)	Akin to SPF, but instead of verifying if the source of the email is valid, DKIM uses encryption keys to verify that the email itself has not been manipulated in transit.

2. Western is a Customer of Microsoft Email Services

Western uses Microsoft Office 365 to send and receive email from the @wwu.edu mail domain. As a customer of Microsoft, Western relies on Microsoft to store, transmit, and process email according to their best practices for security and infrastructure, and their established service-level agreements for availability.

While Information Technology Services (ITS) retains some control over the configuration of the Microsoft email environment, ITS must defer some configuration and implementation decisions to Microsoft to make on Western’s behalf.

3. ITS Does Not Support Spoofing

To increase the security of Western’s email systems, Western does not grant externally hosted applications the ability to send email from the @wwu.edu domain.

Email sent from applications that are configured to “spoof” an @wwu.edu email address are likely to be identified as spam or malicious and be delivered to a quarantine location or to users’ Junk Mail folders.

To improve the likelihood that valid messages are delivered to Western mailboxes, applications must be configured to use their actual sender domain when sending email (e.g., ESM Marketplace sends email as orders@esmsolutions.com).

4. ITS Provides Technical Solutions to Improve Mail Delivery

ITS provides multiple methods to improve email delivery from Western applications. The services below can be requested by submitting a ticket to the Help Desk at https://atus.wwu.edu/get-help.

4.1 SMTP Relay for On-Premises Devices

Applications that send email from an on-campus server or other device (such as a multi-function printer) can be configured to send email with an @wwu.edu email address.

4.2 Authenticated SMTP Relay for Cloud Applications

Some cloud-based applications can be configured to send email as an @wwu.edu email address using a service account that authenticates to smtp.office365.com.

4.3 Spam Filter Bypass List

ITS maintains a list of senders that are allowed to bypass Western-specific spam filtering rules. Adding an application’s sender address, domain name, or domain address to the Bypass List does not guarantee that the message will bypass the spam filtering rules in a recipient’s email client, but it will bypass Western’s centrally managed spam filters.

ITS does not support adding the IP addresses of bulk mailer services, such as Amazon or Mailchimp, to the Bypass List. Those IP addresses are typically shared among multiple applications; allowing one of those addresses to bypass the spam filters would cause a significant increase in spam and malicious email to Western email users.

4.4 Authenticated Email via SPF and DKIM

If an external application cannot use its own domain, ITS will provide a “vendor” domain specifically for that purpose. Email addresses are formatted as <service name>@<vendor name>.vendor.wwu.edu. ITS works with vendors to put an SPF/DKIM configuration in place.

While this is a secure method of configuring email, ITS does not recommend this approach. While using SPF/DKIM reduces the odds of a message being flagged as spam or otherwise malicious, the most effective way of ensuring delivery is to allow the application to use its own mail domain instead of impersonating a Western mail domain.

5. ITS Protects Western from Malicious Email

5.1 URL Re-Writing

Western uses Exchange Online Protection combined with Microsoft Advanced Threat Protection SafeLinks. This rewrites all web addresses in the body of an email and scans all attachments through Microsoft's security systems. In email services that use Rich Text or HTML formatting, these rewritten links will be masked. However, in plain text email systems, the rewritten link will be visible, in the format of https://nam11.safelinks.protection.outlook.com/?url=[original link here].

5.2 Spam Filter Block List

As with the Bypass List above, ITS maintains a list of known bad-sender domains. Email from those domains will be automatically categorized as spam by our email system.

6. Limitations of Western’s Email Service

6.1 Service Limits

Microsoft enforces several limitations on its email customers, including:

The size of emails.
The number of emails an individual account can send and receive per day.
The number of recipients allowed per message.

6.2 Client Application Limits

Email recipients, including other Western email users, may configure their own rules for trusting, blocking, or otherwise automating the processing of email they receive. These “client-side” rules can route a message to Junk Mail or quarantine even if ITS has put rules in place to deliver the message to the inbox.

7. References

Microsoft email service limits: https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits.

Change Log

Revised	Version	Author	Approver	Change
11/05/2021	1.0	Chris Miller	ITS Standards & Guidelines Committee	Original Version