Anti-phishing measures SPF guidelines

In the process of achieving better anti-phishing measures., we just took a new step.

LISA, in collaboration with M&C, has set up technical guidelines for the use of the Sender Policy Framework (SPF). SPF indicates where legitimate mail can come from and what a recipient should do if the mail does not come from such a source. In this way we can prevent parties outside the UT from sending phishing mail with an @utwente.nl address. The guidelines have now been established by the MT of LISA. In the coming months we will continue to work on the implementation of these guidelines.

The guidelines relate to all (mail) domains for which the university is responsible.

1. For utwente.nl only the central, official mail servers are included. This concerns the central Exchange servers and the servers of SURF that are used for checking outgoing mail.
2. Domains for student associations and other third parties are free to adopt their own SPF policies. We recommend that they start from these guidelines.
3. SaaS providers are asked to use our mail servers. They are therefore directly covered by guideline 1.
4. If guideline 3 is not feasible, a separate subdomain will be created under utwente.nl for this provider.
5. In all other cases, SPF is configured to classify all mail as using an incorrect address.
6. The university is responsible for all its domains. If abuse is detected, SPF settings will be changed to stop that abuse.

For guideline 4, a subdomain still needs to be approved by M&C.