SURFmail filter at UvA: 'Secure email without tampering'

The UvA not only provides IT services within its own institution, but also to the Amsterdam University of Applied Sciences (AUAS). That means Ed van Gasteren's department manages the email environments of some 100,000 students and 14,000 employees. "We used to have separate servers for all those mailboxes at our locations," Van Gasteren explains, "but nowadays almost everything has been migrated to Microsoft's cloud. That means you have to be able to link all your other systems to it. If that doesn't work, you have to find a solution. For us, that's SURFmailfilter."

Spoofing and malware

Van Gasteren explains why bundling outgoing mail flows is important: "Information systems and digital learning environments send all kinds of messages and notifications to users via email. If this does not run through Microsoft or through a central solution such as SURFmailfilter, you have to start giving all those individual systems 'permission' to send email on your behalf. That is an awful lot of work and, moreover, it is error-prone: if the settings aren't right, you run the risk of spoofing."

Spoofing involves sending fake emails that are almost indistinguishable from real ones. Hackers use this method to spread malware. To best protect your institution against spoofing, it is wise to bundle your outgoing mail flows. Bundling ensures that all your systems deliver mail from a limited number of sources. In doing so, you can be sure that they all comply with the same security conditions.

Communicating with the outside world

"Most modern systems can be linked with Microsoft's software without any problems, but this is not always the case for older systems," Van Gasteren explains. "At the UvA, for example, we work with a scheduling system that we facilitate within our own data centres. It is not possible to send the messages and notifications from that scheduling system via Microsoft 365. To be able to continue using that system, we have therefore connected it to SURFmailfilter."

SURFmailfilter ensures that messages from the scheduling system reach the recipients in the right way. "As a result, those emails do not end up in spam filters, so we can continue to use the system to communicate with the outside world."

Sealing

To secure emails, they are given a DKIM signature. DKIM (DomainKeys Identified Mail) acts as a seal. The receiving server not only recognises that the email indeed comes from the original sender, but also that nothing was changed to the content during the sending process. In Van Gasteren's words, "As a recipient, you can be sure that the email has not been tampered with."

Previously, the joint IT infrastructure of the UvA and AUAS prevented the DKIM signature from being used by both institutions. This caused problems. "Signed UvA emails from our SAP system arrived at the recipients without any problems. However, we could not apply DKIM to the AUAS messages, so emails with important content, such as invoices, were not delivered. Invoices weren't paid, which led to other unpleasant consequences. With the new version of SURFmailfilter, we no longer have this problem; we can now apply DKIM to emails from both institutions."

Pressure off

Van Gasteren is convinced that all systems eventually need te be connected to Microsoft. Ideally, he would like to link all UvA's systems and applications to it right now, but that is no easy task.

"It is an enormous amount of work to transfer everything to Microsoft 365. You have to deal with many different parties and long processing times. Moreover, any change in your institution's infrastructure comes with risks. As long as all these complications are there, we will continue to use SURFmailfilter, because it just works damn well. Especially since the renewal of SURFmailfilter in 2022, the pressure has been off for us to do everything in-house. This allows the UvA to focus on other important things in the coming years."