Skip to main content

Technical Requirements for Third Party Mailers

Texas A&M University requires that all prospective vendors fulfill the following technical requirements to ensure secure, effective, and compliant email communication practices:

1. Email Authentication Protocols

  • SPF (Sender Policy Framework):

    • The third party mailer must utilize their domain for the Envelope Address, ensuring that SPF passes.

  • DKIM (DomainKeys Identified Mail):

    • All outgoing emails, including those sent from third-party services, must be DKIM signed.
    • Texas A&M University will host the DKIM record as a CNAME or TXT record, allowing the use of *tamu.edu within the Header From address (if approved by Marketing/Technical representatives).

  • DMARC (Domain-based Message Authentication, Reporting & Conformance):

    • All messages from third-party mailers must pass DMARC and sign messages using a DKIM signature.
    • The From: header must align with either the SPF domain or the DKIM domain.

2. Compliance and Deliverability

  • Spam Rates:

    • Vendors must ensure that spam rates remain below 0.3%.

  • Unsubscribe Mechanism:

    • A one-click unsubscribe option must be included in all email campaigns.

3. Rationale for Requirements

  • These requirements are necessary to comply with stricter sender guidelines implemented by major email providers like Gmail and Yahoo.
  • Adhering to these best practices helps reduce fraudulent spam and phishing messages, ensuring that critical communications reach their intended audience and maintain the University's sender reputation.

4. Specific Reasoning for SPF and DKIM Requirements

  • SPF operates on the email envelope, not the body or message header.

    • This means that SPF checks the domain in the Envelope Address, which is only visible to the mail servers handling the delivery, not to the end recipients.

  • SPF is an older protocol and limits the number of networks that can be included in a policy.

    • Given the size and scope of Texas A&M University's email infrastructure, combined with security concerns surrounding IP address trust, SPF is not a sustainable model for authenticating mail for third party mailers on behalf of Texas A&M University.

  • DKIM operates on the Header From address, not the Envelope address.

    • The Header From address is visible to the intended recipient through their email client, providing a more transparent and reliable method of authentication.

  • DKIM is a newer, superior method for authenticating mail using a cryptographic key pair.

    • It scales well because a selector can be created for each third-party service, and unlike SPF, it does not rely on IP addresses for determining authenticity.

5. MX Records

  • Texas A&M University will not publish MX records for a tamu.edu domain name that points to an external gateway.
  • All mail intended for tamu.edu domain names will be received by Texas A&M University.

6. Domain Name Requirements

  • Vendors must either use their domain name or one of Texas A&M University's existing domains.
  • Texas A&M University will not create a new domain to send or receive mail.
  • Only existing domains can be used for third-party mailers.

7. Consequences of Non-Compliance

  • Failure to comply with these guidelines after February 2024 may result in messages being flagged as spam, quarantined, or rejected, significantly impacting the domain's reputation and communication efforts.
  • Sustained non-compliance can lead to the domain or IP address being blocked entirely, severely affecting the ability to send messages.

A third party mailer is any service that sends messages on behalf of the tamu.edu domain or a subdomain. These include:

  • Email sent from third party mailers (marketing platforms like MailChimp and SendGrid)
  • Email sent directly from cloud applications (SaaS providers, AmazonSES, etc)
  • Email sent externally that does not traverse approved email gateways

In order for to prevent fraudulent practices and ensure that messages make it to the recipient's inbox, email security protocols will need to be implemented. All messages from third-party mailers will will need to pass DMARC and sign messages using a DKIM signature. For more information see Email Authentication Protocols.

Requesting a third party mailer

To request that a third party mailer be configured for the tamu.edu domain or subdomain:

  1. Choose a third party mailer and fill out the instructions provided by the vendor to setup the account and request the needed DNS changes.
  2. Fill out this Google Form
  3. A ticket will be created
  4. The ticket will be reviewed and routed to the following individuals for approval
    • Domain Owner
    • Technical Representative
    • Marketing Representative
    • Cloud and Platform Security
  5. If approved, the ticket will be routed to the Infoblox team to fulfill the request.
  6. Once completed, you will be notified that your request has been fulfilled.

If you have questions or need help, please feel free to reach out to cloudsecurity@tamu.edu for assistance.

warning

If you use a third-party service that sends messages on behalf of the tamu.edu domain or a subdomain, you should verify your compliance with the provided tools.

You can use the DMARC Check Website to check your DMARC compliance.

For more information, see the DMARC Check and DMARC Report pages.