• Applications or devices must be capable of SMTP authenticated sending on port 25, 587 or 465 using a Username/Password
• Supports TLS 1.2
• Known Envelope From and Header From
  Restrictions:
  • There is a limit of 10 From addresses.
  • The From address(es) must be a valid service account email address in a subdomain of *.wisc.edu (e.g. doit.wisc.edu).
  • The Campus Relay Service must be authorized to send as that address in the domain SPF record.
  • The address can not be an @wisc.edu address.
• Uses static IP address(es)
• Messages less than 5MB in size
• Limit of 100 emails per SMTP session

• The authenticated relay is only available to systems or services that are under contract with UW-Madison and sending email in support of UW-Madison Teaching, Research or Administrative activities.
• Only paid UW-Madison faculty or staff may request access to the authenticated relay services.
• Follow the UW System guidelines for Acceptable Use of Information Technology Resources.
• Use of the service is explicitly prohibited for sending spam, phishing or email with offensive content.
• The relay service should not be used to send unencrypted HIPAA protected data (Protected Health Information, PHI) to non-UW-controlled email addresses. For more information, see UW-Madison Policy regarding Email Communications Involving Protected Health Information.
• This is a paid service provided by Proofpoint and is priced based on hourly peak and yearly total throughput. If any single campus group or application results in UW-Madison exceeding its contracted mail volume thresholds they will be charged for any cost increase accrued by the service.

• Administrators routinely monitor the volume of mail sent for system management purposes.
• Usage may also be subject to security testing and monitoring.
• If the University receives a credible report that a violation of the Terms of Use has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution.

If you have a 3rd party service or off-campus device that sends email, you can request access to the authenticated secure email relay service using our Google form. We will review your use case and determine whether it is a good fit for the SER service. Please be prepared to supply the following information:

• Name of the School, College, Division, Group or Service requesting credentials.
• UW-Madison Service Owner
• Envelope From address(es) used in the mail messages. You can specify up to 10 From addresses for use with the application but not whole domains (e.g. *@doit.wisc.edu).
• Header From if it will be different from the Envelope From.
• IP address(es) of the sending systems.
• Name of the application or device that will use the credentials.
• Who is the audience for the email sent from your application/service?

Once the form is submitted we will contact you within 3 business days.

If we determine that your use case is a good fit for the authenticated secure email relay service, we will provide you with credentials for connecting to the service. You will need to configure your application using the following information:

• SER Servername: smtp-us.ser.proofpoint.com
• Authentication Method: SER Username/Password provided by PCS
  Note: Vendor documentation frequently assumes that the Username is in the form of an email address. The SER Username is not an email address and should not be confused with the authorized From address(es).
• Connection Security: TLS/STARTTLS
• Port: 25, 587 or 465
• Validate the SPF record for the domain used in the Envelope From address includes the WiscMail SPF record: “include:_spf.wiscmail.wisc.edu”

If the sending application is behind a firewall that restricts outbound traffic, you may need to add rules to allow traffic to the following IP addresses in order to connect to smtp-us.ser.proofpoint.com:

• 34.225.17.174
• 52.202.205.232
• 54.68.130.227
• 52.89.187.57

If you already have an application using the Secure Email Relay (SER) service you can request updates to the existing credentials. For example, you can request that we add or remove allowed IP addresses or From email addresses. To request a change, use our Google form.

Please be prepared to supply the SER Username that is used by your application. The Username was provided to you when your original request was approved. (Example Username: 02f7837f-00cc-a704-2fab-ef4eb86e8950)

Once the form is submitted we will contact you within 3 business days.

All email that passes through the campus relay service is DKIM signed for the relay.mail.wisc.edu domain. The relay service does not support custom DKIM signing for specific domains. The application sending the mail will need to DKIM sign those messages if you need to sign for a different domain.

If you are sending newsletters, calls for research participation, surveys or other forms of bulk mail, your messages need to offer support for one-click unsubscribe. Your application will need to add the appropriate headers to the email messages and handle unsubscribe requests. This is not a feature of the relay service.

The Authenticated Secure Email Relay service is provided by Proofpoint and we do not have direct access to the authentication logs. If you are unsuccessful in sending mail through Proofpoint SER you should validate the setup by checking the following:

• Are connections being initiated via Ports 25, 465, or 587?
• Is TLS v1.2 (or better) being used?
• Are the authorized Envelope and Header FROM Addresses being used?
• Is the email coming from the authorized IP(s)?
• Are the emails too big? Messages must be less than 5MB in total size.
• Is the software that is generating the email attempting to TLS-encrypt the SMTP connection with an unsupported cipher?
  Support Ciphers
  

  
  ECDHE-RSA-AES256-GCM-SHA384
  ECDHE-RSA-AES128-GCM-SHA256
  ECDHE-RSA-AES256-SHA384
  ECDHE-RSA-AES128-SHA256
  ECDHE-RSA-AES256-SHA
  ECDHE-RSA-AES128-SHA
  
  AES256-GCM-SHA384
  AES128-GCM-SHA256
  AES256-SHA256
  AES128-SHA256
  AES256-SHA
  AES128-SHA
  RC4-SHA
  DES-CBC3-SHA
  
  

• Are there firewall rules that might be blocking outbound connections to Proofpoint or the connection ports?

Any abuse of this service will result in removal of relaying privileges for the offending application.

On February 1, 2024 Proofpoint completed the upgrade of the Secure Email Relay (SER) infrastructure to their version 2 architecture. With that transition, traffic to authnz.proofpoint.com has been temporarily redirected to smtp-us.ser.proofpoint.com. Application owners should update their configuration to connect to smtp-us.ser.proofpoint.com instead of authnz.proofpoint.com. Proofpoint plans to deprecate support for authnz.proofpoint.com in the future.

Any outbound firewall rules will need to be updated to allow traffic to the following SERv2 IP addresses:

• 34.225.17.174
• 52.202.205.232
• 54.68.130.227
• 52.89.187.57

The firewall updates must be completed by May 30, 2024.

If you have any questions or would like to discuss relaying options, please contact smtp.relay@doit.wisc.edu.