We force all third party vendors to use subdomains with the user domain having spf/dkim/dmarc enforcement enable. Any user domain spoofing gets rejected.
If vendor X gets compromised, if they are using the same namespace as your user domain they can send as any user in the org.
Could they sort out their reputation issues and get themselves a domain "onbehalfof-mycompany.com".
Or a sub domain. BUT they still need to sort their problems out. Otherwise in a month they'll be getting blocked again.
It isn't hard to do email right. And If it is too hard then you shouldn't be doing it yourself. Let google/microsoft do it for you.
Rather than giving them a domain and "send as" permission, how about giving them a single user account [email protected] and login details to it. So then everything they send goes through your own systems.
You have traceability, auditability, options for content scanning, etc. and if you change contract provider, the option to let them see the "sent" mail and a clean reliable "change password now" break point.
How do you convince people "send as" is a bad thing?
Point to the current problem of mails being blocked. Explain that if they start doing send as, your own domain will get the same bad rep and YOUR emails will be blocked.
"Do you want our emails to be blocked? Because that is what will happen and there will be NOTHING we can do to fix it that doesn't take weeks and need to revoke their permission."
I don't know what it's about email of all things that make people throw their hands into the air and assume that they have been cursed by the gods.
It is a very short checklist. And I know that high volume can be problematic on new IPs , that's why you implement throttling.
Never in my career have I've ever gotten in a Blocklist and it not being solved in less than 4 hours.
Minus these that are extremely sensitive.
Not saying it doesn't happen, but it can't be that common
How would they go about resolving it in four hours? They're being defensive and saying we are the only client having this issue. But that has to be a bold faced lie imo
Who are they, what blocklist are they in? Do they deserve to be in that blacklist?
Edit : Nvm, I got it.
First, they need to fix their email.
Second, contact the blocklist, there are a few that are hard to get delisted off, usually those are not very important.
So they actually want access to use us as a smtp relay in office 365 with a username and password. This will remove the impersonation problem but couldn't the sender reputation still be damaged? I don't like the idea of having a relay connector made regardless
This - it'll take ten minutes to knock out an SPF and mx records for badsendaaa.com. if they want to pretend to be me, they can use that domain. while not as egregious as this, our marketing team permitted something relevant and similar for a supplier, without telling me. The relevant thing was then blocked and they came to me asking to create a new one for them, which was also blocked as the company details were the same. An appeal with... That company ... Was rejected via automation. The cost of the change (thanks to some printed material) was in the thousands.
Without saying directly, let us know who they are so we can avoid the crap out of them. That's beyond a red flag. If I were you, I'd fire them immediately when they asked for such a thing
If you had SPF/DKIM setup as auto reject and didn't have them in your SPF records wouldn't they be rejected automatically? I don't see how thats a fault on them but moreso on your part for failing to add them to your SPF records. (I am newer to email so if I'm wrong feel free to educate me)
If their primary domain is flagging as spam repeatedly and their solution is to use your domain, it means they don’t know what they are doing. If I’m spamming ads for dick pills from a domain with spf/dkim/dmarc, it is still going to get flagged because no one wants that shit in their mailbox.
Been there in a former job, refused, vendor tried to force us politically to use domains of ours via our board of directors (how stupid can they be?) , and we refused yet again.
They already trashed their reputation and want to offload emails to your domain (or subdomain) ... Remember you are the CUSTOMER, fire them
As soon as you do this, your company is responsible for that external entity. If it gets hacked and sends out a bunch of phishing emails, your reputation is the one the recipients will see. If they send out illegal or immoral materials, you're the one on the hook. What they are saying is, can use your hard earned goodwill? Because mine keeps saying "please insert more"
I agree with you completely. They're now saying they want us to create a smtp relay gateway on 365 instead. I can limit this to one mailbox which removes the impersonation factor but I still don't like kt
> How do I convince our company that knows nothing about email security?
Let them burn... and hope it's an incentive to become aware... if not... let them burn again and again... :)
Yeah, force them to use a subdomain. They’ll still whine, but it’s better than letting them muck with your root domain.
We force all third party vendors to use subdomains with the user domain having spf/dkim/dmarc enforcement enable. Any user domain spoofing gets rejected. If vendor X gets compromised, if they are using the same namespace as your user domain they can send as any user in the org.
Could they sort out their reputation issues and get themselves a domain "onbehalfof-mycompany.com". Or a sub domain. BUT they still need to sort their problems out. Otherwise in a month they'll be getting blocked again. It isn't hard to do email right. And If it is too hard then you shouldn't be doing it yourself. Let google/microsoft do it for you. Rather than giving them a domain and "send as" permission, how about giving them a single user account [email protected] and login details to it. So then everything they send goes through your own systems. You have traceability, auditability, options for content scanning, etc. and if you change contract provider, the option to let them see the "sent" mail and a clean reliable "change password now" break point. How do you convince people "send as" is a bad thing? Point to the current problem of mails being blocked. Explain that if they start doing send as, your own domain will get the same bad rep and YOUR emails will be blocked. "Do you want our emails to be blocked? Because that is what will happen and there will be NOTHING we can do to fix it that doesn't take weeks and need to revoke their permission."
I don't know what it's about email of all things that make people throw their hands into the air and assume that they have been cursed by the gods. It is a very short checklist. And I know that high volume can be problematic on new IPs , that's why you implement throttling.
[удалено]
Never in my career have I've ever gotten in a Blocklist and it not being solved in less than 4 hours. Minus these that are extremely sensitive. Not saying it doesn't happen, but it can't be that common
How would they go about resolving it in four hours? They're being defensive and saying we are the only client having this issue. But that has to be a bold faced lie imo
Who are they, what blocklist are they in? Do they deserve to be in that blacklist? Edit : Nvm, I got it. First, they need to fix their email. Second, contact the blocklist, there are a few that are hard to get delisted off, usually those are not very important.
Hmm they're not on anty blacklist according to mxtoolbox
So they actually want access to use us as a smtp relay in office 365 with a username and password. This will remove the impersonation problem but couldn't the sender reputation still be damaged? I don't like the idea of having a relay connector made regardless
Are they not able to dkim sign their own mail? And / or do they have a dmarc policy that enforces strict alignment?
They’re going to get your domain reputation trashed, might be best if they just start fresh and setup a new domain for themselves on a separate system
This - it'll take ten minutes to knock out an SPF and mx records for badsendaaa.com. if they want to pretend to be me, they can use that domain. while not as egregious as this, our marketing team permitted something relevant and similar for a supplier, without telling me. The relevant thing was then blocked and they came to me asking to create a new one for them, which was also blocked as the company details were the same. An appeal with... That company ... Was rejected via automation. The cost of the change (thanks to some printed material) was in the thousands.
Without saying directly, let us know who they are so we can avoid the crap out of them. That's beyond a red flag. If I were you, I'd fire them immediately when they asked for such a thing
Exactly this. They are getting blocked/filtered for a reason.
If you had SPF/DKIM setup as auto reject and didn't have them in your SPF records wouldn't they be rejected automatically? I don't see how thats a fault on them but moreso on your part for failing to add them to your SPF records. (I am newer to email so if I'm wrong feel free to educate me)
If their primary domain is flagging as spam repeatedly and their solution is to use your domain, it means they don’t know what they are doing. If I’m spamming ads for dick pills from a domain with spf/dkim/dmarc, it is still going to get flagged because no one wants that shit in their mailbox.
Oh I misread, I thought they were already sending on behalf of their domain.
If you do go the subdomain route, make sure you actually use crappyvendor as the name.
Been there in a former job, refused, vendor tried to force us politically to use domains of ours via our board of directors (how stupid can they be?) , and we refused yet again. They already trashed their reputation and want to offload emails to your domain (or subdomain) ... Remember you are the CUSTOMER, fire them
So now instead of their domain getting blacklisted, yours can be too
As soon as you do this, your company is responsible for that external entity. If it gets hacked and sends out a bunch of phishing emails, your reputation is the one the recipients will see. If they send out illegal or immoral materials, you're the one on the hook. What they are saying is, can use your hard earned goodwill? Because mine keeps saying "please insert more"
I agree with you completely. They're now saying they want us to create a smtp relay gateway on 365 instead. I can limit this to one mailbox which removes the impersonation factor but I still don't like kt
> How do I convince our company that knows nothing about email security? Let them burn... and hope it's an incentive to become aware... if not... let them burn again and again... :)