This post is an opinion piece that reflects what I think are best practices. Should large financial institutions use hosted email services? Services like ours (Forefront Online Protection for Exchange, FOPE)? Why am I even asking this question?
I ask this question from a security perspective. The advantages of moving to hosted services are plenty:
I’m not going to go into all the advantages because there are plenty. I work for the division that does hosted filtering and that’s how I make my living. It’s a good thing to do in many cases for inbound mail.
However, for outbound mail, the situation is different. Outbound mail is the opposite of the above: mail comes from your mail server, flows through us, and then goes to the Internet. The advantages of this, from a spam filtering perspective, is that we do outbound spam management and can typically ensure better outbound IP reputation and therefore improve (but not guarantee) better delivery. There are other advantages, but for spam that is one of the biggest ones.
The reason I ask the question above is because for inbound mail, multiple customers (everyone who wants to use hosted mail) use the same set of resources (our mail servers) as everyone else. This doesn’t matter because our service is designed to scale for inbound mail. If we ever start experiencing high traffic load, we just add more servers. Everyone’s mail flows through us, we scan it, and then deliver it to them.
For outbound, we are similarly using the same set of resources, but that also includes outbound IP addresses. This means that everyone sharing the same outbound IP reputation, and depends upon how well we maintain our outbound IP reputation.
We have spent a long time coming up with ways to reduce the amount of spam that comes out of our network. However, if one customer sends spam, it can end up degrading the deliverability of everyone’s mail. That’s part of the price that comes with using a shared set of IP addresses. Fortunately, we’re very good at keeping our IP reputation clean.
Customers using us put two sets of IP addresses into their SPF records:
This means that every outbound customer mail goes through two SPF checks: once by us, and once by the final, intended recipient (it could actually be more SPF checks depending upon how the recipient has things set up).
This is all well and good when it comes to security, but remember, we are a shared IP service for outbound. What happens if Customer A is behaving but Customer B has become compromised and is sending out spam? And they send out spam by spoofing Customer A?
In the case of a zero-day spam campaign, before the filters have had time to catch up and catch the spam using some other method, this outbound spam will leak to the world. 3rd party filters on the Internet will do an SPF check and it will pass because it came from shared IP space.
So, the decision of whether to use shared IP space for outbound mail is complicated and involves various tradeoffs:
One thing I don’t say is a determining factor is how good your hosted spam filtering service is at catching spoofed mail. Our service is very good at it, but we’re not perfect. No one is, because spammers have the advantage of testing their spam campaigns and tweaking them to avoid filters. Leaks sometimes occur especially if a large service has hundreds of thousands of customers. For this reason, I don’t personally recommend that financial institutions use outbound mail services that use shared IP space unless they are willing to accept the risk it entails.
So what can they do?
There are a couple of options:
Those are the two best options that I see, and they are the ones that I recommend for organizations that are at high probability and high cost for spoofing.
There are a couple of technologies in the future that can assist with the problem of spoofing and shared IP services but they still a bit of a ways off from realization:
Those are my views to the problems of sending email through a shared outbound IP service, some workarounds, and future solutions.