Emails sent by IRBManager

IRBManager sends all sorts of emails on your behalf, from xForm status updates to notifications of upcoming training expirations to continuing review reminders and more. 

Because of the nature of email, its ability to be spoofed, its (lack of) inherit security (although IRBManager does use encrypted transport when available), and the numerous anti-spam and anti-phishing techniques institutions put in place ensuring successful mail flow takes some work, and cooperation with IT at times. Emails originate on our servers, but depending on how you've configured IRBManager may appear to come "from" users with their institutional email addresses (e.g. sally@university.edu or joe@hospital.com). While IRBManager can be configured to spoof mail like this, we strongly recommend against mail spoofing. 

Recommended Settings

Do not spoof, really, don't!

Clients should no longer be spoofing email sends. Spoofing is the act of sending email from another user. For example, the research department may want emails might be sent "from" research@university.edu to their users. This sounds great, but in today's world of spam and email-based security attack vectors IT departments are very reluctant to accept mail from the outside (like IRBManager) that purports to come "from" an internal user. In many cases this mail is silently dropped w/out warning or notice.

Client-admins should uncheck the "Enable email spoofing" box in system values. When unchecked IRBManager will send emails from no-reply@<client>.my.irbmanager.com, but we will add a reply-to header of the original sender to replies should still go to the right place.

If necessary, white-list (but it shouldn't be necessary)

For institutions that still want to spoof, or in other rare cases, IT departments will likely have to pre-approve, or white-list, our sending IP addresses. The IP addresses we send mail from are the addresses that 'mailsender.irbmanager.com' resolves to in DNS. We will keep this list current when/if we change sending IPs. While it shouldn't be necessary to white-list at all, if you do white-list our IPs you should do so by specifying the domainname mailsender.irbmanager.com and not via specific IP as these IPs are subject to change.

Not Recommended (but supported)

If spoofing (please don't), include our SPF record in yours. We have published an SPF record which includes our sending IP addresses. This record has the DNS name "xxx.my.irbmanager.com" where xxx is your client id. If you are spoofing (why??) then you should also include our SPF record in your SPF record with an "include:xxx.my.irbmanager.com" where xxx is your client id. 

Solutions planned (DKIM)

We do not currently sign emails we send with DKIM. This is planned for an upcoming release, but is not currently available.