Preferred method: send via an Oxford mail service
The best way for a third-party system to send mail from an Oxford address is to use one of following two options:
- Set up a dedicated generic Nexus365 mailbox and configure the third-party system to send through that
- Set up a dedicated SSO-only account and configure the third-party system to use this to send using the message submission service
Fall-back method: authorise third-party to send from your domain
If the third-party you are using does not support properly-authorised sending via Nexus365 or Oxmail (message submission) then the following steps should meet the basic requirements of most recipient mail services.
Warning: This does not guarantee message delivery, and can adversely impact all mail sent from your domain
The changes required below mean that the third-party influences how mail sent from your domain is assessed, and the mail reputation for your domain.
An error in the third-party SPF configuration will cause SPF to fail for ALL mail sent from your domain (not just via the third-party).
- Ensure that you have a good understanding of SPF (see SPF Project resources), DKIM and DMARC
- Obtain an SPF inclusion clause from your third-party. This should be in the form “include:saas.example.com”
- Create or edit the SPF record in DNS for your domain using Hydra IPAM, and insert the additional clause between v=spf1 and any other specifiers. For example:
unit.ox.ac.uk TXT v=spf1 include:saas.example.com redirect=_spf.ox.ac.uk
- Configure DKIM message signing in your third-party service. This will normally involve enabling DKIM, setting / confirming the DKIM selector and generating / obtaining a DKIM key via the web admin interface
- Create the required DKIM record in DNS for your domain using Hydra IPAM, for example:
saasxmpl._domainkey.unit.ox.ac.uk TXT v=DKIM1;p=MIImxJCfLeSbBMI4CSmTIQo...
Note 1: SPF, DKIM and DMARC are entirely controlled via your DNS records and third-party system configuration. IT Services does not have access to either of these, so if you need assistance then we recommend consulting the IETF RFCs for each standard, reviewing message headers using the message header analyzer and working with your third-party to review log messages.
Note 2: Some third-party systems simply don't support contemporary methods of sending mail reliably (or at all). We have found some, even large / well-known / expensive, third-party systems that are not able to send mail via Office365 or via SMTP services, and do not support SPF or DKIM. These systems will not be able to send mail from Oxford addresses reliably, and in some cases may not be able to send mail from Oxford addresses at all. Options here are essentially limited to: configure the third-party system to send mail from their own domain (assuming they have SPF, DKIM and DMARC configured correctly), or find another supplier.