ministryofjustice / security-guidance

Security guidance from the MOJ Digital & Technology Cybersecurity team
https://ministryofjustice.github.io/security-guidance/
Other
22 stars 25 forks source link

Request review of updated bulk emailing guidance #354

Open warmanaMOJ opened 2 years ago

warmanaMOJ commented 2 years ago

Hello @L-Crosby

Please may I request review comments for new guidance on bulk email tools. A preview of the new section may be seen here.

Many thanks.

L-Crosby commented 2 years ago

Approved.

L-Crosby commented 2 years ago

One comment would be that I was interested in this commentary:

It has been suggested that it could be possible to use MailChimp without these issues if it were set up to be on a subdomain of justice.gov.uk and the SPF/DMARC/DKIM controls were correctly configured. However, this is non trivial and would require significant technical work to achieve, hence the preference to use GOV.UK Notify.

I am in two minds as to whether discussion like this is suitable for guidance. I am happy to approve but I want to think about it. @cybersquirrel do you have a view?

DLEEMOJ commented 2 years ago

@cybersquirrel just chasing a response for the above comment please?

cybersquirrel commented 2 years ago

Hi @DLEEMOJ - I concur with @L-Crosby, this feels very pointy about a particular tool. I suggest that for this guidance we should be saying something like: a) only use tools that send as a ...gov.uk-based email, and b) have been properly set up with SPF and DKIM records to enable authentic sending, and c) that means either to use GOV.UK notify, or to speak to Justice Digital to get another tool properly configured before using it.