View All Resources

PennO365: Sending email from a third-party application or vendor using a subdomain of @upenn.edu

Overview

This document outlines the prerequisites, requirements, and process to enable a third-party service to send email using a subdomain of @upenn.edu.  In this document, the third-level domain “research.upenn.edu” is used as an example of a subdomain of upenn.edu.

IMPORTANT: Please note that sending email using the @upenn.edu domain from a third-party service is prohibited.  There are no exceptions to this policy.

Prerequisites

The following are needed prior to a third-party service being enabled to send using a @upenn.edu subdomain:

  • The desired third-level domain must be registered.  For more information on how to register a third-level domain, please see the Domain Names article.
  • If you intend to receive mail for the advertised sending address, ensure that mail delivery is set up and working correctly for the account.

Requirements

In order to send email from a third-party service with a high level of confidence that the email will not be marked as spam, two records need to be added to the DNS configuration of the @upenn.edu subdomain that is being used:

(1) Sender Policy Framework (SPF) Record(s)
SPF records are used to prevent spammers from spoofing your domain name. Recipient servers can use the SPF record you publish in DNS to determine whether an email that they have received has come from an authorized server or not. The servers are then able to make a decision about how to treat that email.

The SPF record will contain the IP address(es) or IP Address range that the third-party service will be using to send email. This information will need to be obtained from the third-party service.

Example:

v=spf1 ip4:ip-address,addresses or range ~all

(2) DomainKeys Identified Mail (DKIM) Record
DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. DKIM uses public key cryptography to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam.  The DKIM record will contain a public key generated by the same third-party service that provided the SPF information.

Example:

v=DKIM1; k=rsa; h=sha256; p=MIGfM30GCSqGSIv3DQEv3QU334GN3DCviQKvgQDmvSkO7TiWkvD4K+CqtJVCsfh0yFcOnvZfmhUZsjzKIivvvlhEYGyXdt3IToiCoYvp3Cf+Nt8gHtC/f7FSew+SWVxgGlWH7gSCeJ27icivCD8JNhvvCfveXvy7P5QJSq77ZvztzvML3cR+MOjtUd5YVKn31v4zh8xDw8P1qIcCcwID3Q3v

Process

The process to enable a third-party to send using an @upenn.edu subdomain is as follows:

  1. Client ensures that the prerequisites are met (see above).
  2. Client obtains the SPF record(s) and DKIM information from the third-party service.  The client will update DNS with the records provided. If the client does not know how to do this, they can submit a request to ISC for us do this on their behalf.
  3. Client submits request to the third-party service to enable the DKIM implementation.
  4. Client sends a test message from the third-party service to test the DNS configuration and successful delivery of the email message. The email headers will provide the DKIM and SPF validation status.

Example

The Office of the Vice Provost wants to send emails from sender@research.upenn.edu using a third-party service.  The DNS records for the research.upenn.edu subdomain were updated as follows:

SPF = v=spf1 ip4:192.168.2.12 ~all

DKIM = scph0818._domainkey.research.upenn.edu =
v=DKIM1; k=rsa; h=sha256;    p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHADeg2uMX0ZaDvQFgk0j//g4zdkyXCuOmO2U3eT84s+8LdWVDa9i9TL12Svh/fmyRK1lG4LSj0uTIf5P60WuANTLHgQt0HTazgEa40bAIy1OJ1eNVbQUG4mmCtRgDFp3ncpqN4r7EbaRk+qC5citQH/mVPGR6Y9Ydag9L1UR+ewIDAQAB

Resources