For over 25 years OIT has provided a mail relay service to any campus unit that needed one. Until recently, this has served NC State well, but we are finding that our ability to provide a reliable service has been deteriorating at an alarming rate. This is primarily because our “mail reputation” for the mail relay service, an opaque metric used by mail providers to judge our likelihood to send out good mail, has fallen from superior to mediocre and continues to decline. Today, units that use our relay service often find that messages delivered through it will acquire a higher spam score than messages delivered without it.
We are also seeing unprecedented numbers of compromised accounts on our campus due to phishing. One of our few effective ameliorations is the implementation of the protocols SPF and DKIM for our mail environment. These protocols would provide significant protection to our users from phishing while also improving our global mail reputation. Unfortunately, it will be impossible to enable these protocols without making wholesale changes to the mail infrastructure. They simply will not work in our currently configured environment.
Recommendations for changes to our email infrastructure
The Google Service Team (GST) recommends that our customers use, where possible, one of the two mail relay services provided by Google. Customers unable to use Google’s mail relays would use either Google groups, the Majordomo list service, or Bronto. We would retire the mail relay service, as its functionality would be replaced by Google.
We believe that shifting to Google’s relays would provide for the vast majority of our customers’ needs. The GST would meet with the remaining customers to see if we can find a comparable way to enable their business, or perhaps provide an alternative to email.
This move to Google would provide our campus with two very large benefits:
- We are positioned to enable SPF and DKIM for our domain. Google strongly encourages us to enable these protocols to help with phishing and spam. The GST believes it will cut spam down significantly.
- All customers would have an individual relationship with Google. Currently, any service outage for the mail relay service—whether through hardware failure or troublesome behavior of a customer—will cause an outage for all who use the service. In the new infrastructure, any service outage would be limited to those that caused it.
Flow chart and matrix of options
UPDATE 12/4/2107: Due to some changes in Google’s mail options for very large mail senders, we have unlinked the flow chart and matrix of options while we review these changes and the impact to our email infrastructure. Please continue to send questions regarding your setup to firstname.lastname@example.org.
We have prepared a flow chart and a comparable matrix of options to help explain the recommended changes. These options organize mailings by numbers of messages sent in a 24-hour period. Some of these are limits set by Google, but for the most part they are intended as rough guidelines for the customer. Both quantity and message rate are important. For example, a server that’s very busy for a smaller portion of the day should be considered for a larger overall number of messages per day, due to the message rate.
Finally, as with any solution, there may be a campus unit or two using processes or older machines that we will not be able to support. The GST is committed to working with the customer to see if we can find a suitable option. But ultimately it will be up to that customer to determine the next steps.
- Presentation to CITD – June 2017 (NCSU Restricted)