Last updated: 
3 months 1 week ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Suppliers and DMARC

Thursday, October 12, 2017 - 13:04

When using software as a service (SaaS) there may be legitimate reasons for an external party to create e-mails from @jisc.ac.uk addresses. In the past this would have been a clear indication of phishing or other attacks, but now we need a more sophisticated approach to separating legitimate mails from malicious ones.

DMARC, DKIM and SPF provide us with the tools to authenticate senders of e-mails. Jisc is not quite at the stage where we can authenticate all our legitimate sources of e-mails, but we’ve also been working to ensure that new suppliers don’t further complicate the landscape and can work within our strategy for DMARC compliance.

Where relevant we have asked suppliers that they must:

Confirm that where the system sends e-mail from Jisc owned domains, it does so in a way that complies with DMARC.
Describe the system's support for sending DMARC compliant e-mail, our options for achieving this in order of preference are:

  1. DKIM signing using keys under the jisc.ac.uk domain
  2. SPF authorisation using an include: of your records within ours
  3. SPF authorisation by listing IP addresses in our SPF records
  4. Relaying of mail through a Jisc managed MSA
  5. The solution never sends mail from a Jisc owned domain Implementing one of these five steps helps us identify legitimate e-mail sent by third party applications.

We are able to use this information to better filter out e-mail based threats from our e-mail servers.