Requesting SMTP Relaying for sending unauthenticated email
An SMTP relay is used for sending unauthenticated email. SMTP relaying is necessary when your server application or device is unable to authenticate to Office 365 and you need to send email programmatically to recipients that are off-campus and the list of recipients may not be known before the email is generated. Please note that unauthenticated relay services are not available to end user workstations or mail servers. If you are running a mail server that accepts mail submissions you should not use the campus relay service to also send mail. To submit a request, fill out the form below.
May 26, 2023: We are working an our transition to the Proofpoint Secure Email Relay (SER) service. The relaying options available to campus will change with SER. Due to uncertainties related to the future of the service we will not accept new relay requests for AWS IP addresses until further notice.
What is SMTP Relay?
An SMTP relay allows Campus users to programmatically send mail from their applications to their target users without having to run their own mail server. Commonly used for application servers that may generate high volumes of mail and are unable to authenticate to smtp.office365.com. Relay services can be used to send mail to both campus and non-campus mail addresses. This service is insulated from spammers by maintaining a table of IPs allowed to relay.
Office 365 customers may not need an SMTP relay in all cases. If you are a server or application administrator, please see the following guide to help determine what option is best for your needs: Microsoft 365 - Options for Individual and Programmatic Sending
Submitting a Request
To submit a request for a new SMTP relay fill out SMTP Relaying request form.
If you are the admin of record for a relay you can make changes to an existing relay IP here List Relays.
Please contact the DoIT Help Desk with any other questions regarding relay requests.
Once your IP is allowed to relay, you may use the following configuration to relay email.
- SMTP Server: smtp.wiscmail.wisc.edu
- SMTP Port: 25
- Id/Password: This is not used. Please leave blank.
- TLS/SSL: Enabled (where possible)
Important: You must enter a valid From address. This address can be a firstname.lastname@example.org or email@example.com account that is hosted within the UW-Madison Office 365 tenant.
Note on TLS/SSL support: Encrypted communication is required for sending mail to certain external domains (e.g. uwhealth.org). For the full list of domains that require TLS see: Microsoft 365 - Email Domains that Require TLS
What is the difference between relay.mail.wisc.edu and smtp.wiscmail.wisc.edu
We recommend using smtp.wiscmail.wisc.edu. We will be retiring use of relay.mail.wisc.edu in the future.
Use of relay.mail.wisc.edu requires that the IP address of the device sending email be included in the WiscMail Relay table even if you are only sending to UW Madison Office365 addresses. There is otherwise no difference between smtp.wiscmail.wisc.edu and relay.mail.wisc.edu.
Does SMTP Relay support encrypted connections?
The SMTP Relay service offers opportunistic TLS through support of the STARTTLS command which offers a way to upgrade a plain text connection to an encrypted connection. SMTP Relay also forces TLS communication to certain external domains. For the full list of domains that require TLS see: Microsoft 365 - Email Domains that Require TLS.
Is there a message size limit when using SMTP Relay?
Yes. See: Microsoft 365 - What are the limitations for message size, recipient number, and mailbox storage?
Can the relay service be used by off-campus infrastructure?
Unavailable until further notice
Yes (AWS only.) In order to ensure that UW-reserved EC2 ElasticIP addresses are not released and reassigned to a non-UW account, you need to set up an AWS IAM permission to allow the DoIT Email service to periodically read the IP address information about your AWS account. Fill out the SMTP Relaying request form to get started setting up SMTP relay integration with AWS EC2 ElasticIP addresses.
For more information about sending email from AWS see: AWS - Sending Email from EC2 or Lambda.
Can the relay service be used to bypass DMARC requirements?
In some cases it can, but it also further complicates matters. Since the relay service effectively bypasses domain-level authorization of use of email addresses, it would be covering up the forging problem that DMARC would otherwise solve. We need to ensure that the systems we allow to relay have some level of control over who is allowed to send as arbitrary email addresses. We recommend that you consult with us to ensure your messages are DMARC compliant.
How can I achieve DMARC compliance using a SaaS provider without relaying?
- Determine which domains the application will need to send as "From".
- Configure all outbound messages to use addresses within that domain. You don't need the addresses to actually exist within the domain, but it would be best practice if your users use a deliverable address (to catch bounces, etc. See also: this doc )
- Add the SaaS provider's outbound email IP addresses to the SPF record for the domain. We have a new feature in the Wisc Account Admin Site called "DMARC Info" which can help you stage changes to your domain's SPF record.
- Implementing SPF is adequate for DMARC compliance, but you should strive for implementing DKIM in the long term. Encourage your SaaS vendor to implement support for DKIM signing. Feel free to point your vendor at the following documents if they need an industry primer on how to implement DKIM.
AbuseAny abuse of this service will result in removal of relaying privileges for the offending IP address.
If you have any questions or would like to discuss relaying options, please contact firstname.lastname@example.org.