ISO Position Paper

Position Title:  Automatic Email Forwarding

Position Audience:  Princeton University Community

Contact:  Information Security Office: [email protected]

Position Release Date:  December 7, 2022

Problem Statement

OIT has received an increasing number of reports of email delivery failures when users have configured automatic forwarding of their messages to non-Princeton email accounts. Email is one of the most popular methods cybercriminals use to attack individuals and businesses. Major email providers, government institutions, universities, and others around the world are implementing stronger security standards to ensure that only legitimate email is delivered to their users. Email systems attempt to authenticate the sender’s email domain (e.g., princeton.edu, yahoo.com, etc.) and then check the reputation of that domain before deciding whether to deliver the message. Forwarding messages often causes this authentication to fail because the email system forwarding the message appears to be an untrusted sender. Authentication failure can then lead to the message being filtered as spam or rejected altogether. 

Forwarding your email to an external personal account leaves University data more vulnerable to compromise as the University is unable to enforce security policies and monitor for suspicious activity. This can lead to unintentional disclosure of University data.

ISO Position

In order to protect University data and provide reliable email services to the community, it is the position of the Information Security Office that University business only be conducted with Princeton-provided email accounts. Personal email accounts should not be used for University business, and Princeton email should not be automatically forwarded to personal accounts. Failure to follow this recommendation could result in University data being exposed and email messages lost. 

Data classification: Public