Whitelisting - My Emma

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: EOL CLEANUP

Hi there. Trying to setup whitelisting, but our IT department is concerned with the degree we are opening up our servers to. See note below. 


Are you able to provide the specific mail server addresses as requested by IT below?


*Sending domain: e2ma.net

*IP Range: 128.136.37.0/24 (128.136.37.1 to 128.136.37.255)
*IP Range: 66.179.147.160/27

*IP Range: 66.179.102.0/25

*IP Range: 66.179.68.0/26

"I can whitelist the Emma servers in our spam system, I can’t however whitelist this for Junk/Clutter in outlook.  I can’t add those IP ranges below as the subnets mask is a /24 and that is way too many IP Address to whitelist.  I highly doubt this company has 254 e-mail servers that send e-mail in that one range.  Whitelisting IP Addresses opens the system up for spammers to spoof IP Addresses and that allows spam/viruses to get into the system bypassing all scanning and protection rules.  I need the specific mail server addresses.  If they can’t supply those then I can whitelist by domain and see how that works out."

Please help, as we've had a number of issues with the receipt of test emails internally, 


Sam


Photo of Sam Zivot

Sam Zivot

  • 12 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 0
  • 1
Photo of Anthony Miranda

Anthony Miranda, Customer Support Specialist

  • 135 Posts
  • 16 Reply Likes
Official Response
Hi Sam,

Whitelisting the e2ma.net domain would be the best thing to try at this stage. I understand the concern with opening up that range of IP addresses. The reason we offer the CIDR ranges is for if/when we expand our range or add a new data-center.

Keep me posted on how that works out!
Photo of Ben Rollman

Ben Rollman

  • 1 Post
  • 0 Reply Likes
Is that second one an actual range/port or just a single IP?  We're trying to put ranges into our ESA for spoof filters and the employee/team using this gave me this information.  I just want to make sure we don't need the full range of 66.179.147.0-255 or if it's just 66.179.147.160
Photo of Anthony Miranda

Anthony Miranda, Customer Support Specialist

  • 135 Posts
  • 16 Reply Likes
I checked in with some of my team to get specifics on this for you, and found that the you would need a range of IPs but not that entire range. For email sends, you'll want to whitelist 66.179.147.170-186.

That should get you rolling! Let me know if you have any other questions.
Photo of David Lipschutz

David Lipschutz

  • 5 Posts
  • 0 Reply Likes
Is there an update to this info.    I also want to narrow down 128.136.37.0/24 and need to know how to format "66.179.147.170-186" as  66.179.147.170/?? 
Photo of Grey Stepp

Grey Stepp, Support Team Manager

  • 1700 Posts
  • 135 Reply Likes
Hi David, I checked in with my Deliverability team and they said this:

The IP block 66.179.147.170-186 can be written as 66.179.147.160/27. We recommend that you don't narrow down any block of IPs because the IPs that emails are sent from could be changed in the future. This is why we recommend whitelisting all of the following blocks of IPs:

IP Range: 128.136.37.0/24

IP Range: 66.179.147.160/27

IP Range: 66.179.102.0/25

IP Range: 66.179.68.0/26

If you aren't able to whitelist all of these IPs, and alternative would be to whitelist the domain e2ma.net


Let me know if I can help with anything else!

- G
Photo of Shawn Miller

Shawn Miller

  • 5 Posts
  • 0 Reply Likes
This new 139 IP range is even bigger than the others. Is there a reason why we can't get a more narrow range? That's a security risk that our organization just isn't willing to take.
Photo of City of Arvada

City of Arvada

  • 2 Posts
  • 0 Reply Likes
Agree with Shawn. I checked in with our IT crew and they are not willing to open up that large of range either. 
Photo of David Lipschutz

David Lipschutz

  • 5 Posts
  • 0 Reply Likes
I'm also struggling with this.  My vendor says.
"It should be possible to have a smaller/narrower range. If your vendor is unable to provide you one, then please ask them for a list or set of IP addresses (in standard format, not CIDR) that they use or intend to use from the CIDR range they previously provided. From the indicated IP addresses, we can then derive a new CIDR range or two which would be narrower and could be input into Office 365 for creating a connector."
Photo of Grey Stepp

Grey Stepp, Support Team Manager

  • 1700 Posts
  • 135 Reply Likes
Hey there Shawn and David, 

I checked in with my systems teams to be sure about this, and I have a little info that may help with this.  

This new IP range is one that Emma owns exclusively and we will slowly be moving all of our sending to that new range.  Eventually we will stop sending on the original ranges and ONLY send via this new one.  We’re making the transition a gradual shift in order to maintain our good sending reputation across all of them, and we’ll re-communicate in advance of stopping sending from the old ranges.

So, temporarily, while we're ramping up these new IPs, you'll need to have them all, and we'll be making announcements at a later date for when we are going to stop sending through the old ranges.  

Hopefully that helps!  
Photo of Shawn Miller

Shawn Miller

  • 5 Posts
  • 0 Reply Likes
That's the info I was told when I called in. Thanks for confirming. But that doesn't really solve our problem. From a security perspective, regardless of whether you own the range or not, having over 1000 open is unacceptable to our IT Security team and I guess many other organizations dealing with secure data. When can that range be minimized to a more reasonable number?
Photo of Grey Stepp

Grey Stepp, Support Team Manager

  • 1700 Posts
  • 135 Reply Likes
I'll certainly be updating here as soon as we get confirmation that we stop using any of the older IPs.   We will be warming up the new sending IPs for a while, and we need to be deliberate and slow about that so we can build up that sending reputation.  

One option we've pitched to folks if you aren't able to whitelist all of these IPs would be to whitelist the domain e2ma.net .  
Photo of David Lipschutz

David Lipschutz

  • 5 Posts
  • 0 Reply Likes
Grey.....   Zach told me I could use these
139.60.0.0/24, 139.60.1.0/24, 139.60.2.0/24, 139.60.3.0/24
Instead of  139.60.0.0/22
And that works for me.
Please let us know when we can lose the old ranges.
Photo of Marc Powell

Marc Powell, Official Rep

  • 6 Posts
  • 0 Reply Likes
Some further information. Emma sends email from several datacenters for redundancy and other reasons. Currently, we lease IP space from those data center providers. We have obtained this new IP range that we own ourselves and will be transitioning all datacenters to use these new IP ranges so that if we ever need to change data center providers, we will not lose the sending reputation that we have built up for the IPs that we send from. We have asked customers to whitelist the entire /22 range so that in the future, as we continue down that migration path, we won't have to ask customers to repeat this work for the newly used IP ranges.

For a bit more granularity, the first datacenter that we will be migrating will be using the 139.60.0.0/24 IP range. Later in the year, we will be migrating our second sending datacenter to the 139.60.1.0/24 IP range. Both of these data centers are sending mail for all customers for high availability reasons and to maintain good sending reputation for all customers on each IP range. In the event that there is a problem sending from one datacenter, we will be able to shift mail sending to the remaining datacenter and mail will continue to flow as expected, without any kind of reputation hit that would affect inbox placement.

We are unable to get more specific than those /24's as the actual IPs your mail will use may vary based on a number of dynamic factors.

The other IP ranges will come into use as we bring further datacenters online or have other needs. 

Thank you for the work related to this request. Now that we have our own address space, colocation vendor changes should not require any further whitelisting requests for quite some time.
(Edited)
Photo of David Lipschutz

David Lipschutz

  • 5 Posts
  • 0 Reply Likes
Thanks.... I can't do /22,
"IP addresses must be specified in the format nnn.nnn.nnn.nnn where nnn is a number from 0 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr where rr is a number from 24 to 32."
Photo of Marc Powell

Marc Powell, Official Rep

  • 6 Posts
  • 0 Reply Likes
Understood. If you wanted to whitelist the entire /22, you could break it out into these 4 ranges - 139.60.0.0/24, 139.60.1.0/24, 139.60.2.0/24, 139.60.3.0/24
Photo of David Lipschutz

David Lipschutz

  • 5 Posts
  • 0 Reply Likes
That's what Zach suggested.