Email administration(电子邮件管理)¶
The email capability is used for a variety of use cases from sending notifications, 2FA emails, to powering workflows that enable data uploads. To that end, the platform exposes configuration options in Control Panel to configure email infrastructure and email deliverability to provide assurance to an Organization that email is only sent to expected destinations.
The platform primarily uses email to notify existing users. Sending emails to email addresses that are not associated with a user is restricted to specific, narrow usecases that have no possibility of leaking data (for example, user onboarding).
Email data risks¶
Email relies on a protocol called Simple Mail Transfer Protocol (SMTP). With SMTP, email messages are sent in plaintext and transferred from the platform to an SMTP relay, and then through one or more intermediary servers before it is delivered to your organization’s SMTP delivery host. Depending on how your organization has set up its mail configuration, there may be additional third parties that receive and process mail on your behalf (such as security scanning) before delivery.
To protect against emails being inspected in-transit by unauthorized parties, Palantir requires the use of Transport Layer Security (TLS), a cryptographic protocol for securing the confidentiality of email contents during transit. This ensures that any mail delivered from the platform to Palantir's SMTP relay is encrypted. Palantir's SMTP relay then tries to enforce TLS on any new connections outbound to other SMTP delivery hosts.
Unfortunately, most mail servers rely on opportunistic encryption which falls back to unencrypted plaintext delivery if they cannot enforce TLS. Depending on your network architecture, email delivery paths, mail servers, and other variables, this could lead to emails containing sensitive customer data being sent without network encryption. Additionally, even with TLS encryption, any hop in the mail delivery process grants the mail server owner plaintext access to the contents of the email message. This is especially important if your organizational risk tolerance does not allow for your email service provider(s) to have access to sensitive message contents.
Lastly, once an email message containing sensitive information has left the Foundry platform, it relies on controls in the mail server of the recipient. Depending on how the mail server has been configured, these messages could potentially be forwarded, downloaded, sent externally, or inappropriately shared outside of the platform. Strong platform security primitives and protection such as mandatory access controls or markings do not apply once data leaves the platform.
To retain strong access controls, we generally recommend that sensitive data is shared within the platform rather than being shared by email.
Email deliverability¶
Email is inherently opportunistic meaning it can be blocked by the platform, any of the mail servers in the email delivery path, the reciepient's firewall or even classified as spam or deleted based on email rules in the recipient's inbox. We recommend that critical workflows depend on mechanisms with better deliverability guarantees, such as webhooks or push notifications.
Several factors can impact email deliverability, including but not limited to:
- The recipient does not have an email address associated with their Foundry user.
- The recipient is not on your organization's allowlist.
- The recipient is on your organization's suppression list.
- The configured email provider is currently experiencing an outage.
- The recipient's email server is unavailable or has otherwise refused to accept the email.
Email provider¶
By default, the platform uses Amazon (AWS SES) to send email.
Allowlisting¶
Learn more about how to control where email can be sent.
Content redaction¶
Learn more about how to redact the contents of emails.
Suppression management¶
Learn more about how to understand why emails may have failed to send.
中文翻译¶
电子邮件管理¶
电子邮件功能可用于多种场景,包括发送通知、双因素认证(2FA)邮件,以及支持数据上传的工作流。为此,平台在控制面板(Control Panel)中提供了配置选项,用于设置电子邮件基础设施和邮件送达能力,从而向组织(Organization)保证邮件仅发送至预期目的地。
平台主要使用电子邮件来通知现有用户。向未与用户关联的电子邮件地址发送邮件仅限于特定的、狭窄的使用场景,且这些场景不存在数据泄露的可能性(例如用户入职引导)。
电子邮件数据风险¶
电子邮件依赖于一种名为简单邮件传输协议(Simple Mail Transfer Protocol, SMTP)的协议。使用SMTP时,电子邮件以明文形式发送,从平台传输至SMTP中继,然后通过一个或多个中间服务器,最终送达您组织的SMTP投递主机。根据您组织邮件配置的设置方式,在投递前可能会有额外的第三方代表您接收和处理邮件(例如安全扫描)。
为防止邮件在传输过程中被未经授权的第三方检查,Palantir要求使用传输层安全协议(Transport Layer Security, TLS),这是一种用于保护邮件内容在传输过程中机密性的加密协议。这确保了从平台发送到Palantir SMTP中继的所有邮件都经过加密。随后,Palantir的SMTP中继会尝试对发往其他SMTP投递主机的所有新连接强制执行TLS。
遗憾的是,大多数邮件服务器依赖于机会性加密,如果无法强制执行TLS,则会回退到未加密的明文投递。根据您的网络架构、邮件投递路径、邮件服务器以及其他变量,这可能导致包含敏感客户数据的邮件在没有网络加密的情况下发送。此外,即使采用了TLS加密,邮件投递过程中的任何一跳都会让邮件服务器所有者获得邮件内容的明文访问权限。如果贵组织的风险承受能力不允许您的电子邮件服务提供商访问敏感消息内容,这一点尤为重要。
最后,一旦包含敏感信息的邮件消息离开了Foundry平台,其安全性便依赖于收件人邮件服务器的控制措施。根据邮件服务器的配置方式,这些消息可能会被转发、下载、发送到外部,或在平台之外被不当共享。一旦数据离开平台,强大的平台安全原语和保护措施(如强制访问控制或标记)将不再适用。
为了保持强大的访问控制,我们通常建议在平台内共享敏感数据,而不是通过电子邮件共享。
邮件送达能力¶
电子邮件本质上是机会性的,这意味着它可能被平台、邮件投递路径中的任何邮件服务器、收件人的防火墙阻止,甚至可能根据收件人收件箱中的邮件规则被归类为垃圾邮件或删除。我们建议关键工作流依赖于具有更好送达保证的机制,例如网络钩子(webhooks)或推送通知(push notifications)。
多个因素可能影响邮件送达能力,包括但不限于:
- 收件人没有与其Foundry用户关联的电子邮件地址。
- 收件人不在您组织的允许列表(allowlist)中。
- 收件人在您组织的抑制列表(suppression list)中。
- 配置的电子邮件提供商当前遇到故障。
- 收件人的邮件服务器不可用,或以其他方式拒绝接收邮件。
电子邮件提供商¶
默认情况下,平台使用亚马逊(AWS SES)发送电子邮件。
允许列表管理¶
了解更多关于如何控制邮件发送目的地的信息。
内容编辑¶
了解更多关于如何编辑邮件内容的信息。
抑制管理¶
了解更多关于如何了解邮件可能发送失败的原因的信息。