E-mail Security Questionnaire
The article lists questions to which OU ought to have answers when UTS receives requests either to add or to modify DNS records for SPF and DKIM. This is in the context of external services, such as Mandrill/Mandrillapp/MailChimp, etc.
Description
OU selectively has vendors send e-mail messages to its members. It is important that one consider three elements of e-mail:
- current infrastructure
- Google Workspace Mail
- mail networks
To the initial point, e-mail services need properly to function with what OU already runs. To the middle point, Google's SaaS productivity suite, called Google Workspace, runs OU's e-mail accounts. Google has guidelines and practices with which all vendors and OU need to abide. To the ultimate point, e-mail networks work on trust which is a combination of factors, such as external reputation, enforcement of security configurations, and user practices. If OU's reputation is sullied to the point of running afoul of established norms, which contravenes being a good neighbor on the Internet, then all e-mail networks will simply accept the messages from oakland.edu addresses and then quarantine them as illegitimate.
Questionnaire
Will you send e-mail messages with a single specific oakland.edu FROM address or FROM multiple addresses? If you plan to utilize multiple e-mail addresses, then either do you know their addresses or will they be dynamically generated?
Will the servers that send e-mail message also send e-mail messages on behalf of other domains? This situation has the potential that another domain that you service could forge e-mail from oakland.edu addresses but appear to be valid due to OU adding your DKIM and SPF records to the DNS of OU?
- Does your service have valid MX, A, and PTR records for the e-mail servers?
- Do any e-mail networks recognize your service as a black-listed e-mail network?
Are any problems of your e-mail network listed in the results of on-line tools?
- Does your service allow messages to be sent and to be received with the TLS encryption protocol?
- What is your service's stated policy in DNS that deals with e-mail messages that fail DMARC checks?
- What measures do you have in place to prevent e-mail spoofing across domains that you send e-mail on behalf of — related to the previous question?
How do you validate recipient e-mail addresses to prevent mass backscatter from bounced e-mail messages being returned to the sending oakland.edu address?
Do you use the same REPLY-TO e-mail as the FROM address?
- If OU should experience problems as a result of the practices of the service, then who will be the technical contact whom OU ought to contact?
If any IP addresses, DKIM keys, or SPF records should change, then who will notify UTS <uts AT oakland DOT edu>?
- Do you have a contract for your service with OU; if so, what is its expiration date?
Have you reviewed and does your service conform to Google's Bulk Senders Guidelines?
Does your service adhere to the best practices regarding subscription and unsubscription as outlined in Google's Bulk Senders Guidelines?
- Does your service support and/or require SMTP Authentication?
Will e-mail sent stay within the single user limits outlined at Google Workspace e-mail sending limits?
If requiring SMTP relay services will e-mail sent stay within the limits outlined at Sending limits for the SMTP relay service?
TSSHowTo TechnicalServiceSystem