Online Express emails and email security (the pesky "From:" field and spoofing)
Options
Has anyone figured out a workaround for sending emails through Online Express that share the same email domain in the "From: " field with the recipient of the email without the email being blocked as a "spoofing" attempt? So, for example, in Online Express the "From: " field has "test@sample.org" as the "from" email address and you are sending an email to someone that has an email address within the organization with the with the "@sample.org" domain. The intention of the Online Express "From: " field is to make the email appear as if it's coming from someone specific, but the email is actually being sent using Blackbaud's email server at their Boston Data Center.
Best practice for email security within many organizations is that emails that share the same domain, but are not actually being sent from within the organization are deemed as "spoofed" emails and therefore blocked. I am having issues with Online Express and sending emails to email addresses within our organization when using an email address in the "From: " field that has the same domain.
I contacted Blackbaud and the solution/suggestion was to modify our SPF (Sender Policy Framework) and whitelist the Blackbaud Boston Data Center IP addresses. The issue is that best practice calls for not allowing 3rd party IP addresses to spoof an email address, especially since these 3rd party services could be compromised and expose the organization to elevated risk.
Any suggestions? Services like Constant Contact and MailChimp allow for emails to be sent "On behalf of", rather than a straight up "From: " field.
Best practice for email security within many organizations is that emails that share the same domain, but are not actually being sent from within the organization are deemed as "spoofed" emails and therefore blocked. I am having issues with Online Express and sending emails to email addresses within our organization when using an email address in the "From: " field that has the same domain.
I contacted Blackbaud and the solution/suggestion was to modify our SPF (Sender Policy Framework) and whitelist the Blackbaud Boston Data Center IP addresses. The issue is that best practice calls for not allowing 3rd party IP addresses to spoof an email address, especially since these 3rd party services could be compromised and expose the organization to elevated risk.
Any suggestions? Services like Constant Contact and MailChimp allow for emails to be sent "On behalf of", rather than a straight up "From: " field.
Tagged:
0
Comments
-
I believe there really is no other solution than what you have already described. Our IT had to add the IP addresses to our Whitelist in order for it to work for us. That being said, we had a similar problem receiving emails from MailChimp until our IT also added their IP addresses to our Whitelist. Any time your organization (quite properly) keeps uber-security, you run into hitches once in a while.
1 -
Thank you for your response Faith.
FYI, I indeed confirmed with Blackbaud support that there is no other way around this spoofing issue as Online Express is currently without modifying the SPF/whitelisting the Blackbaud IP addresses. Unfortunately this makes Online Express virtually useless to us as an email marketing tool, which is unfortunate.
I'm very, very surprised that Blackbaud has not addressed this issue given the role that email solicitation and distribution plays in today's philanthropic landscape. Making specific exceptions to your organization's SPF/whitelisting specific IP addresses undermines your organization's email security and sets you up for trouble down the road. What if Blackbaud's email servers get hacked...or better yet, when they get hacked...now you've suddenly allowed Blackbaud to send nefarious emails to your organization and they are granted a free pass to your users' inboxes? I know that it is possible to provide email-based marketing services to various users (example: "on behalf of...") without having to make exceptions to the organization's SPF/whitelisting settings, and maintaining tight email security. Which begs the question of why this isn't possible in Online Express now? Very frustrating indeed! Hopefully this helps other folks out that are considering this product.0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 3 Blackbaud Staff Discussions
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board