Requesting SMTP Relaying for sending unauthenticated email

An SMTP relay is used for sending unauthenticated email. SMTP relaying is necessary when your application or device is unable to authenticate to Office 365 or smtpAuth and you need to send email programmatically to recipients that are off-campus and the list of recipients may not be known before the email is generated. To submit a request, fill out the form below.


What is SMTP Relay?

An SMTP relay allows Campus users to programmatically send mail from their applications to their target users without having to run their own mail server. Common uses range from servers or applications that may generate high volumes of mail and are unable to authenticate to smtp.office365.com to low volume printers, scanners and multifunction devices. This service can be used where a smart-host is required. Relay services can be used to send mail to both campus and non-campus mail addresses. This service is insulated from spammers by maintaining a table of IPs allowed to relay.

Office 365 customers may not need an SMTP relay in all cases. If you are a server or application administrator, please see the following guide to help determine what option is best for your needs: Office 365 - Options for Individual and Programmatic Sending


Submitting a Request

To submit a request for a new SMTP relay fill out SMTP Relaying request form.

If you are the admin of record for a relay you can make changes to an existing relay IP here List Relays.

Please contact the DoIT Help Desk with any other questions regarding relay requests.


Set Up

Once your IP is allowed to relay, you may use the following configuration to relay email.

Important: You must enter a valid From address. This address can be a netid@wisc.edu or name@domain.wisc.edu account that is hosted within the UW-Madison Office 365 tenant.

Note on TLS/SSL support: Encrypted communication is required for sending mail to certain external domains (e.g. uwhealth.org). For the full list of domains that require TLS see: Office 365 - Email Domains that Require TLS


What is the difference between relay.mail.wisc.edu and smtp.wiscmail.wisc.edu

We recommend using smtp.wiscmail.wisc.edu. We will be retiring use of relay.mail.wisc.edu in the future.

Use of relay.mail.wisc.edu requires that the IP address of the device sending email be included in the WiscMail Relay table even if you are only sending to UW Madison Office365 addresses. There is otherwise no difference between smtp.wiscmail.wisc.edu and relay.mail.wisc.edu.


Does SMTP Relay support encrypted connections?

The SMTP Relay service offers opportunistic TLS through support of the STARTTLS command which offers a way to upgrade a plain text connection to an encrypted connection. SMTP Relay also forces TLS communication to certain external domains. For the full list of domains that require TLS see: Office 365 - Email Domains that Require TLS


Can the relay service be used by off-campus infrastructure?

Yes (AWS only.) In order to ensure that UW-reserved EC2 ElasticIP addresses are not released and reassigned to a non-UW account, you need to set up an AWS IAM permission to allow the DoIT Email service to periodically read the IP address information about your AWS account. Fill out the SMTP Relaying request form to get started setting up SMTP relay integration with AWS EC2 ElasticIP addresses.


Can the relay service be used to bypass DMARC requirements?

In some cases it can, but it also further complicates matters. Since the relay service effectively bypasses domain-level authorization of use of email addresses, it would be covering up the forging problem that DMARC would otherwise solve. We need to ensure that the systems we allow to relay have some level of control over who is allowed to send as arbitrary email addresses. We recommend that you consult with us to ensure your messages are DMARC compliant.


How can I achieve DMARC compliance using a SaaS provider without relaying?

  1. Determine which domains the application will need to send as "From".
  2. Configure all outbound messages to use addresses within that domain. You don't need the addresses to actually exist within the domain, but it would be best practice if your users use a deliverable address (to catch bounces, etc. See also: this doc )
  3. Add the SaaS provider's outbound email IP addresses to the SPF record for the domain. We have a new feature in the Wisc Account Admin Site called "DMARC Info" which can help you stage changes to your domain's SPF record.
  4. Implementing SPF is adequate for DMARC compliance, but you should strive for implementing DKIM in the long term. Encourage your SaaS vendor to implement support for DKIM signing. Feel free to point your vendor at the following documents if they need an industry primer on how to implement DKIM.
    • https://www.m3aawg.org/sites/default/files/document/M3AAWG_Senders_BCP_Ver3-2015-02.pdf
    • https://www.m3aawg.org/sites/default/files/document/M3AAWG_Email_Authentication_Update-2015.pdf
    • https://www.m3aawg.org/sites/default/files/document/M3AAWG_DKIM_Key_Rotation_BP-2013-12.pdf

Abuse

Any abuse of this service will result in removal of relaying privileges for the offending IP address.

Questions

If you have any questions or would like to discuss relaying options, please contact smtp.relay@doit.wisc.edu.

See Also: