I’d post a notice on your website and social media pages, wait 1-2 weeks, and just do it. Most ISPs did this many years ago, hard to believe you still have it open and that any significant number of customers are doing mail that way.
The only customers who should need that are business customers with their own mailserver on premise rather than in the cloud. You could snailmail a notice to your business customers, assuming that’s a small subset of your total customers, and also that postal mail will work with them. I’m not sure I’d impose an SPF requirement. If a business customer says they have an onsite mailserver, they can opt out of port 25 blocking, how they configure their mailserver and DNS is up to them unless there is an incident. All of our business customers (by which I mean they are on a commercial plan) have a static IP address, so they are easy to track down. If someone wants port 25 unblocked on a residential account, sorry, not available on the plan you’re on. From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm Sent: Friday, October 14, 2016 12:21 PM To: firstname.lastname@example.org Subject: Re: [AFMUG] communicating with customers without untraining them thats what i did its the communication with them thats in question if we initiate it in any way, we pretty much un train them no matter what On Fri, Oct 14, 2016 at 12:18 PM, Cassidy B. Larson <c...@infowest.com <mailto:c...@infowest.com> > wrote: Can’t you watch for outbound netflow data for remote port 25’s from your customers you’re going to drop port 25 on? Then proactively call/email them saying it’s going away. Or if you want to keep up with the antiphishing then tell them to contact you back at the known good number/email they have for you or is published on your website. On Oct 14, 2016, at 11:13 AM, That One Guy /sarcasm <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com> > wrote: I think this has been discussed in the past. As part of our overall security implementation we will be dropping outbound port 25 for non business customers and business customers dont have an email rserver on record with an appropriately configured SPF record. I know which customers havent gotten with the times. The problem is how best to communicate with them. I am thinking its best to just drop it for a few hours at a time to drive support calls from those who notice it during that window periodically until we implement it permanently to limit a flood of support calls all at once. And maybe a notice on our website of what is going on. The issue I have is if we reach out in any way, directly, we circumvent all the antiphishing propaganda. If we email, then spoofed emails are trusted, if we email with a link, then they start trusting spoofed emails with links, same with our telephone number. If we reach out directly via telephone, well then they start paying IRS fines to John from india. anybody else implemented this and handled it responsibly? -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.