How to prevent emails from Ex Libris products being marked as suspicious

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Product: Alma Platform, Primo Classic
Product Version: N/A
Relevant for Installation Type: N/A

When an email is received by an SMTP server there are several security checks that occur to determine if the email is legitimate or suspicious. If an email is marked as suspicious the SMTP server may delay the delivery of the email, mark the email as ‘spam’ or not deliver the email at all. This article describes how to ensure emails from the Ex Libris cloud will not get marked as suspicious.

Emails can be sent out from Ex Libris products in one of two ways

1) With a ‘From address’ domain of @exlibrisgroup.com

2) With a branded ‘From address’ for example @institution.edu

OTB DKIM is currently supported only for exlibrisgroup.com domain. Emails sent from our cloud with a ‘From address’ domain of @exlibrisgroup.com should not be marked as suspicious as they are signed using DKIM and Ex Libris has a DMARC policy stating that any emails that are received that do not have a DKIM signature should be rejected. Please note that both the SMTP Envelope ‘From address’ as well as the ‘header.from address’ must use the exlibrisgroup.com domain. The SMTP Envelope from address is configured in the Mail Handling integration profile and the header.from address is configured on each individual letter that is sent out. More information on configuring outgoing mail can be found here.

The DMARC policy states that the email address provider and the email address server should be the same. If they are not, this is considered a policy violation, so emails will be rejected by most DMARC-protected recipients thereby returning the “DMARC unauthenticated mail is prohibited” message on both Gmail and offices365. When you send an email via an unauthorized server, the message is rejected and therefore unauthenticated by DMARC as it fails to pass SPF and DKIM checks.

Please note that since late 2022, email services like GMAIL are enforcing DKIM/SPF compliance (see details here: https://support.google.com/a/answer/174124?hl=en&sjid=15453546060050396344-EU). This may impact your patron’s user experience.

DMARC record:

"v=DMARC1\;p=reject\;adkim=r\;rua=mailto:mailauth-reports@exlibrisgroup.com"

We are currently not supporting DKIM for custom institutional domains, but you may want to consider contributing to the existing idea exchange item (https://ideas.exlibrisgroup.com/forums/308173-alma/suggestions/44722033-dkim-for-institutional-domain). If you want to have a DKIM-compliant setup with a custom domain, you currently need to configure the Alma mail integration profile with the “"Send using institution email relay" option, and implement DKIM on your institutional email relay.

Emails sent from Ex Libris that are branded with the institution’s domain can be implemented securely in the following two ways:

i) Configure the Ex Libris application to pass the email directly to the institution’s SMTP server to be authenticated under the institution’s policies. (DKIM + DMARC)

To configure the Alma Platform to pass the email to an external SMTP server, please refer to ‘configure the mail handling integration profile’ in the documentation here. Depending on the firewall policy of the institution your IT may need to open access from Ex Libris cloud to the SMTP server for the relevant port. The outgoing IP range for Alma, Primo VE and Primo Classic can be found here

ii) Configure the email to be sent from the Ex Libris cloud and be authenticated using the “Sender Policy Framework” (SPF).

SPF is a method of allowing the Ex Libris cloud to send emails on behalf of the institution. When an email is received by a SMTP server, a security check is performed where the IP that had sent the email is compared to the IPs listed in the DNS record for the ‘From Address’ domain. To configure SPF, the DNS administrator of the institution needs to add the Ex Libris mail relay IP’s to the institution’s domain in a TXT record. The Ex Libris mail relay IP’s differ based on the region of the customer so the relevant ‘SPF Include Entry’ should be chosen. The different ‘SPF Include Entries’ for the different regions can be found here.

Article last edited: 25-MAR-2021