Email server guidelines

Document ownership 

The Director, Technology Integrated Services (TIS), Information Systems & Technology (IST), has the responsibility for maintaining this document and providing guidance and advice on its implementation.   

Background information  

The following email guidelines have been established to improve email security campus wide. Beyond these guidelines, email servers should also require strong authentication (e.g., two-factor authentication (2FA)) on all protocols and have inbound and outbound email protected by the University’s email security appliance. Most technical requirements for electronic mail, including vanity domains, can be supported by the University’s Microsoft 365 environment.  

General principles 

Mission 

Provide guidelines to improve the reputation of the uwaterloo.ca domain (thus improving overall email delivery) while considering: 

  • Email policies for all mail servers operating at the University of Waterloo 
  • The interoperability between centralized and non-centralized mail servers 
  • What requirements justify running a non-central mail server 
  • How end users are supported 
  • Expectations between mail admin interactions to provide troubleshooting to end users 

Goals 

  • Be able to enable Domain-based Message Authentication, Reporting and Conformance (DMARC) and create an effective Sender Policy Framework (SPF) record. 
  • Improve the reputation of the University of Waterloo email. 
  • Simplify user experience and troubleshooting. 
  • Understand that email delivery/routing may differ from providing an end user mailbox. 

Examination of mail delivery 

The delivery of email to and from the following are addressed in these guidelines: 

  • user@uwaterloo.ca 
  • user@subdomain.uwaterloo.ca 
  • user@domain.tld 

Guidelines

Recommended option 

IST to fully support domain (external domains and subdomains of uwaterloo.ca), MX records and mailboxes.  

  • In this option, IST will take ownership of the domain in DNS (if not done already).  
  • The domain Mail Exchanger (MX) records will be pointed to IST’s email gateway for SPAM and Virus scanning.  
  • Mail recipients will be set up on Microsoft 365 (M365) with the corresponding email address(es) added to mailboxes in M365.  
  • Email for this domain will be sent from M365 through IST’s email gateways.  
  • Email gateways will be set up to use SPF / DKIM / DMARC for the domain being transferred. SPF/DMARC/DKIM will have strict enforcement. 
  • Current mail servers will be shut down.  

Existing decentralized Faculty email servers

IST to support MX records and forward sanitized email to current mail servers.  

Decentralized Faculty IT email servers that currently exist under this model (e.g., engmail, artsmail, scimail) will be permitted to remain if the following criteria are met. IST may reassess the decentralized email server environment in the future.

  • In this option, IST will have the MX records of the domain pointed at IST’s email gateways for SPAM and Virus scanning.  
  • Email will then be relayed to the current email servers for acceptance.  
  • Outbound email messages sent from the current email servers will be relayed through IST’s email gateways for SPAM and Virus scanning.  
  • No email should be accepted or sent directly to the internet by the current mail servers. SPF/DMARC/DKIM will have strict enforcement.  

Use of Cloud provider 

Guidelines when sending email from user@uwaterloo.ca from an off-campus system (e.g., SaaS/Cloud).

  1. Request for proposal (RFP) templates should be modified to include requirements for sending email and appropriate usage of the @uwaterloo domain. 
  2. Cloud providers must (in preference): 
    1. Use a non-uwaterloo.ca domain for sending email, or 
    2. if there is a business requirement for sending email as @uwaterloo.ca, the vendor must use a custom envelope address and pass Domain-based Message Authentication, Reporting and Conformance (DMARC) alignment, or 
    3. if there is a business requirement for sending email as @uwaterloo.ca and the vendor cannot use a custom envelope address, they must be able to use a custom envelope address provided by UW and pass DMARC alignment, or 
    4. use a sub-domain of uwaterloo.ca (i.e., faculty.uwaterloo.ca
      1. The sub-domain must also be capable of receiving and processing incoming email [e.g., bounce messages]. 
      2. Sub-domain eligibility criteria must independently be met. 
      3. Sub-domains are a last resort and will be approved on a case-by-case basis. 

Get support 

Questions about these guidelines may be submitted to Steve Bourque, IST’s Director of Technology Integrated Services (TIS). 

To request migration support, please submit a ticket via the IST Help Portal