Email server guidelines

Document ownership

The Director, Technology Integrated Services (TIS), Information Systems & Technology (IST), has the responsibility for maintaining this document and providing guidance and advice on its implementation.  

Background information

In 2017, the Computing Technology and Services Committee (CTSC) formed an email working group consisting of email administrators from all faculties to investigate how both the uwaterloo.ca domain is used for email, and the routing and use of non-uwaterloo.ca domains and sub-domains.

General principles

Mission

The mission was to create a guideline to improve the reputation of the uwaterloo.ca domain while considering:

• Email policies for all mail servers operating at the University of Waterloo
• The interoperability between centralized and non-centralized mail servers
• What requirements justify running a non-central mail server
• How end users are supported
• Expectations between mail admin interactions to provide troubleshooting to end users

Goals

The goals of the working group were to:

• Be able to enable Domain-based Message Authentication, Reporting and Conformance (DMARC) and create an effective Sender Policy Framework (SPF) record
• Improve the reputation of the University of Waterloo email
• Simplify user experience and troubleshooting
• Understand that email delivery/routing may differ from providing an end user mailbox

Examination of mail delivery

The working group examined the delivery of email to and from the following:

• user@uwaterloo.ca
• user@subdomain.uwaterloo.ca
• user@domain.tld

Guidelines

From this work the following guidelines were established:

1. Email sent to user@uwaterloo.ca and user@subdomain.uwaterloo.ca
   1. Inbound SMTP should be restricted with exceptions for specific and limited servers
   2. Staff/faculty/graduate student mailboxes should reside on Microsoft 365, unless a technical reason exists not to
   3. Vanity sub-domains should be migrated to Microsoft 365
   4. Centralized mailing list server with dynamic group memberships should exist
   5. Centralized aliasing service should be investigated
   6. Forwarding to off-campus address should be discontinued
   7. Forwarding from an on-campus server to another on-campus server should be discontinued
   8. The mail routing attribute in WatIAM should contain final destination of mailbox
2. Email from user@uwaterloo.ca from an on-campus system or an end-user client
   1. SPF records should be restricted to specific and limited servers
   2. Outbound SMTP should be restricted
   3. Outbound mail should be routed through IST’s centralized email gateway, either directly or indirectly

3. Email from user@uwaterloo.ca from an off-campus system (e.g. SaaS/Cloud)

   1. Request for proposal (RFP) templates should be modified to include requirements for sending email and appropriate usage of the @uwaterloo domain

   2. Cloud providers must (in preference):

      1. use a non-uwaterloo.ca domain for sending email, or

      2. if there is a business requirement for sending email as @uwaterloo.ca, the vendor must use a custom envelope address and pass Domain-based Message Authentication, Reporting and Conformance (DMARC) alignment, or

      3. if there is a business requirement for sending email as @uwaterloo.ca and the vendor cannot use a custom envelope address, they must be able to use a custom envelope address provided by UW and pass DMARC alignment, or

      4. use a sub-domain of Home | University of Waterloo (i.e. faculty.uwaterloo.ca)

         • The sub-domain MUST also be capable of receiving and processing incoming email [eg: bounce messages]

         • Sub-domain eligibility criteria MUST independently be met   [link to: Sub-zone requests and registrations | Information Systems & Technology ]

         • Sub-domains are a last resort and will be approved on a case-by-case basis

4. Email to user@*domain.tld, where domain.tld is not uwaterloo.ca
   1. Approved domains should be treated similar to @*uwaterloo.ca and mailboxes should reside on Microsoft 365, unless a technical reason exists not to
   2. Direct outbound SMTP should be restricted with exceptions for specific and limited servers
   3. If non-approved domains are used, firewall exceptions can be made for select local faculty servers to accept and transmit mail directly (subject to any other security policies)

Updated February 2024