PennO365: Sending email from a third-party application or vendor using a subdomain of @upenn.edu

Overview

This document outlines the prerequisites, requirements, and process to enable a third-party service to send email using a subdomain of upenn.edu. In this document, the third-level domain “example.upenn.edu” is used as an example of a subdomain of upenn.edu.

IMPORTANT: Please note that sending email from the shared @pobox.upenn.edu and the @upenn.edu domain itself is limited to ISC-managed email service providers. Exceptions must be approved by the ISC email routing team and OIS.

Prerequisites

Examples of third-party services include Salesforce, Mailchimp, and My Emma. If you don’t know whether you are using a third-party service, contact your LSP.

The following configurations are needed prior to a third-party service being enabled to send using a upenn.edu subdomain:

• The desired email domain must be an approved third-level domain assigned according to the ITPC Network Policy, or a subdomain thereof. For more information on how to request a third-level domain, please see this resource article (linked below as well).
• Ensure that mail delivery is set up and working correctly for the sending address.If you do not want to receive email to the sending address, please use a valid ‘noreply’ address that is configured to accept and discard incoming messages. The ISC email routing team can help you set up such an address. Do not send from a non-existent email address, since that negatively impacts services delivering email across Penn.

Requirements

To send email from a third-party service with a high level of confidence that the email will not be rejected or marked as spam, two types of records need to be added to the DNS data of the upenn.edu subdomain that is being used:

(1) Sender Policy Framework (SPF) Record(s)

SPF records are used to prevent spammers from spoofing your domain name. Recipient servers can use the SPF record you publish in DNS to determine whether an email that they have received has come from an authorized server or not.The SPF record specifies which servers are authorized to send on behalf of the email domain, typically by listing the IP address(es) or IP address prefix(es) that the third-party service uses to send email. Obtain this information from the third-party service.

If an SPF record already exists for an email domain, modify it to insert the new third-party service information. It is an error to publish multiple SPF records for the same domain.

ISC offers a hosted SPF solution that enables a domain to authorize more sending servers than an ordinary SPF record does. Please contact the email routing team (using help@isc.upenn.edu) to enroll your email domain with this service.

(2) DomainKeys Identified Mail (DKIM) Record

DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. DKIM uses public key cryptography to verify that an email message was sent from an authorized mail server, to detect forgery and to prevent delivery of harmful email like spam. Each DKIM record is identified by a unique selector and contains a public key generated by third-party service.

Process

The steps to enable a third-party to send from a upenn.edu subdomain are:

1. Ensure that the prerequisites are met (see above).
2. Obtain the SPF and DKIM information from the third-party service. This may include instructing the third-party service to enable DKIM.
3. Create or update the applicable DNS records. Contact ISC Client Care for assistance and ask for your inquiry to be routed to the Email Services team.
4. Send a test message from the third-party service to test the DNS configuration and successful delivery of the email message. If possible, send the test message to a willing recipient with a Yahoo! or GMail address. Inspect the headers of the delivered message to determine the DKIM and SPF validation status.

Example

The Department of Examples wants to send emails from sender@example.upenn.edu using a third-party service. The LSP updates the example.upenn.edu subdomain DNS records as follows, using the Proofpoint Hosted SPF solution in addition to IP prefixes, and a DKIM key identified by the selector “penn1740”:

SPF

Name: example.upenn.edu
Type: TXT
Value: v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ip4:198.51.100.0/24 ip6:2001:db8:cafe:f00d::/64 ~all

DKIM

Name: penn1740._domainkey.example.upenn.edu
Type: TXT
Value: v=DKIM1; k=rsa; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQ ... ... ... ewIDAQAB

Resources

• Policy on the Use of upenn.edu Domain Name Space
• PennNet: Network Names & Numbers
• Registering a third-level domain
• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)