Requesting SMTP Relaying for sending unauthenticated email

This document describes the campus unauthenticated SMTP relay service and when it might be appropriate to request relaying services. Please note that unauthenticated relay services are only available to UW-Madison campus IP space and explicitly not available to end user workstations or campus mail servers.


What is SMTP Relay?

An SMTP relay allows Campus servers and devices to programmatically send mail from their applications to their target users without having to run their own mail server. SMTP relaying is necessary when your server, application or device is unable to authenticate to smtp.office365.com and you need to send email programmatically to recipients that are off-campus and the list of recipients may not be known before the email is generated. This service is limited to campus IP space and is protected by the campus firewall to insulate it from potential spammer access.

Microsoft 365 customers may not need an SMTP relay in all cases. If you are a server or application administrator, please see the following guide to help determine what option is best for your needs: Microsoft 365 - Options for Individual and Programmatic Sending

Terms of Use

  • The unauthenticated relay is only available to systems, services or devices that are located on campus and sending email in support of UW-Madison Teaching, Research or Administrative activities.
  • Campus partner mail servers or servers that accept mail submissions on port 25 should not use the unauthenticated relay service.
  • Unauthenticated relay services is not available to end user workstations.
  • Use of the service is explicitly prohibited for sending spam, phishing or email with offensive content.
  • The relay service should not be used to send unencrypted HIPAA protected data (Protected Health Information, PHI) to non-UW-controlled email addresses. For more information, see UW-Madison Policy regarding Email Communications Involving Protected Health Information.
  • If the University receives a credible report that a violation of the Terms of Use has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution.

Submitting a Request

An SMTP Relay request is only necessary if your application or device is sending email to recipient addresses not hosted in our UW-Madison Microsoft 365 or Google Groups environment. If your application is hosted on campus and you are only sending to UW-Madison M365 or g-groups.wisc.edu recipients then you may use the smtp.wiscmail.wisc.edu service without submitting a request.

To submit a request for SMTP relaying for a new IP address, fill out our SMTP Relaying request form.

If you are the admin of record for a relay you can make changes to an existing relay IP here List Relays.

Please contact the DoIT Help Desk with any other questions regarding relay requests.

Set Up

Once your IP is allowed to relay, you may use the following configuration to relay email.

  • SMTP Server: smtp.wiscmail.wisc.edu
  • SMTP Port: 25
  • Id/Password: This is not used. Please leave blank.
  • TLS/SSL: Enabled (where possible)
  • From Address: You must use a valid From address. This address should be a name@domain.wisc.edu account that is hosted within the UW-Madison Office 365 tenant.

Important: The HELO/EHLO domain used by the application, server or device can not contain the & character

Note on TLS/SSL support: Encrypted communication is required for sending mail to certain external domains (e.g. uwhealth.org). For the full list of domains that require TLS see: Microsoft 365 - Email Domains that Require TLS

What is the difference between relay.mail.wisc.edu and smtp.wiscmail.wisc.edu

They are two different L4 VIPs but there is otherwise no functional difference between smtp.wiscmail.wisc.edu and relay.mail.wisc.edu.

What IP addresses does the relay service use to send mail?

Relay mail may be sent from the following IP addresses:

  • 67.231.145.152
  • 67.231.153.115

These IPs are represented in our published SPF record

Does SMTP Relay support encrypted connections?

The SMTP Relay service offers opportunistic TLS through support of the STARTTLS command which offers a way to upgrade a plain text connection to an encrypted connection. SMTP Relay also forces TLS communication to certain external domains. For the full list of domains that require TLS see: Microsoft 365 - Email Domains that Require TLS.

Is there a message size limit when using SMTP Relay?

Can the relay service be used by off-campus infrastructure?

No, the unauthenticated relay service is not available to off-campus infrastructure. We now offer an Authenticated SMTP Secure Email Relay Service. That service is available to off-campus systems such as applications built on AWS EC2 instances, Lamdba serverless functions, or other 3rd party services. See SMTP Authenticated Secure Email Relay sending for more details.

Can the relay service be used to bypass DMARC requirements?

In some cases it can, but it also further complicates matters. Since the relay service effectively bypasses domain-level authorization of use of email addresses, it would be covering up the forging problem that DMARC would otherwise solve. We need to ensure that the systems we allow to relay have some level of control over who is allowed to send as arbitrary email addresses. We recommend that you consult with us to ensure your messages are DMARC compliant.

How can I achieve DMARC compliance using a SaaS provider without relaying?

  1. Third party SaaS providers are not allowed to use the @wisc.edu domain they can only be configured to use subdomains of wisc.edu (e.g. mailplus.wisc.edu).
  2. Determine which domains the application will need to send as "From".
  3. Configure all outbound messages to use addresses within that domain. The from address should be a valid and deliverable email address even if you do not expect to receive replies at the address or process bounced message (to catch bounces, etc. See also: Microsoft 365 - Dealing With Replies To Your Automated or Mass Email )
  4. Add the SaaS provider's outbound email IP addresses to the SPF record for the domain.
  5. Implementing SPF is adequate for DMARC compliance, but you should strive for implementing DKIM in the long term. Encourage your SaaS vendor to implement support for DKIM signing. Feel free to point your vendor at the following documents if they need an industry primer on how to implement DKIM.

Abuse

Any abuse of this service will result in removal of relaying privileges for the offending IP address.

Questions

If you have any questions or would like to discuss relaying options, please contact smtp.relay@doit.wisc.edu.