Ensuring Email Delivery for External Vendors

Guidance for users to improve email deliverability and email security protocols.

Description

Ohio University uses three email authentication protocols to help protect our email: DMARC, SPF, and DKIM. The following is a guide for users working with external partners to improve email delivery and avoid the need for allow listing IP addresses. 

Understanding DMARC, SPF, and DKIM

• Domain: In terms of email, "domain" refers to the portion of an email address after the @ symbol. For most people reading this guide, that will be "ohio.edu". 

• DMARC (Domain-based Message Authentication, Reporting & Conformance): This helps us make sure no one uses our email address without permission. It ensures that emails from our domain are really sent by us. 

• SPF (Sender Policy Framework): This checks if an email comes from an authorized source. It helps confirm that the email is actually coming from our servers. 

• DKIM (DomainKeys Identified Mail): This adds a digital signature to our emails. When someone receives the email, their server can check the signature to be sure the email wasn't changed in transit and truly came from our domain. 

Discontinuation of Granting Exceptions

The practice of adding the IP addresses of senders to a list that bypasses spam filters is being discontinued. Granting exceptions can be useful in some cases, but it also has some drawbacks: 

• Security Risks: Granting exceptions to third parties can expose you to security threats, as hackers can spoof the IP addresses of trusted senders to send malicious emails. 

• Reduced Effectiveness of Email Authentication Protocols: Granting exceptions can undermine the effectiveness of DKIM, SPF, and DMARC. These protocols rely on the recipient's spam filters to verify the authenticity of the sender. 

• Deliverability Issues: Some email providers may reject or mark as spam emails that originate from IP addresses if they do not match the sender's domain. 

Improving Email Deliverability with External Senders

Instead of granting exceptions for third party IP addresses, consider the following best practices to enhance email deliverability with external vendors: 

• Implement Email Authentication Protocols: Request your vendors to set up DKIM, SPF, and DMARC for their domains and ensure they are configured correctly. These protocols help verify the authenticity of the sender and protect against email spoofing. 

• Use Consistent and Recognizable Sender Information: Encourage your vendors to use consistent and recognizable sender names and email addresses. Avoid using generic or free email services, as they can negatively impact deliverability. 

• Send Relevant and Engaging Content: Advise your vendors to send relevant and engaging content to recipients. Avoid sending too many or too frequent emails, as this can trigger spam filters and reduce deliverability. 

Best Practices to Avoid Missing Important Emails from External Vendors 

Even if your vendors follow best practices, some emails may still end up in your junk mail folder due to various factors. To avoid missing important emails from external vendors, consider the following user best practices: 

• Add Vendors to Your Contacts List: Add the email addresses of your vendors to your contacts list or mark them as safe senders. This tells your email provider that you trust these senders and want to receive their emails. 

• Regularly Check Your Junk Mail Folder: Regularly check your junk mail folder and move any legitimate emails from your vendors to your inbox. This helps your email provider learn that these emails are not spam and improves their deliverability in the future. 

• Report Spam or Phishing Emails: Report any spam or phishing emails you receive from your vendors or from anyone pretending to be them. This helps your email provider identify and block these malicious senders, protecting you and your vendors from fraud. 

Communicating with Vendors 

The following is sample verbiage users can utilize about these changes when communication with vendors: 

"On January 5, 2025, Ohio University will begin enforcing stricter sender authentication policy, which may impact third-parties sending from @ohio.edu email addresses. 

Our department/organization currently has an arrangement with you to send emails on our behalf. We'd like to continue that arrangement after the January deadline, but it won't be technically possible if your email system doesn't comply with our stricter policy. Messages you send on our behalf from ohio.edu addresses must be authenticated using DKIM and/or SPF. Can you please confirm that your email system is able to meet these standards? 

If it is necessary to make any changes, our IT team will need to be involved. Please provide us with a technical contact that our IT team can reach out to in order to get the process started." 

Get Help From OIT

• Visit the Email: Catmail, Microsoft Outlook page to create a ticket