/
Email Forwarding

Email Forwarding

SUNY Fredonia has disabled auto‑forwarding from fredonia.edu to non-fredonia.edu email accounts for a mix of security, privacy, and compliance reasons.

1. FERPA Compliance (Student Privacy Law)

Auto‑forwarding can inadvertently send FERPA‑protected student information—grades, advising notes, misconduct records, accommodations, etc.—to personal email accounts that the university cannot secure or audit.
If data leaves the institutional system, the university can be considered non‑compliant, even if the user didn’t intend harm.

2. Data Security & Breach Risk

Personal email accounts (Gmail, Yahoo, etc.) lack:

  • Multi‑factor authentication enforcement

  • Enterprise threat protection

  • Data loss prevention (DLP) controls

  • Logging and auditing for incidents

This means a breach of a personal account could expose university data, but the institution would still be responsible for reporting and mitigation.

3. Protection Against Phishing & Account Takeover

Attackers who compromise a personal account could:

  • Read forwarded university email

  • Trigger password resets

  • Pivot into university systems via forwarded verification messages

Blocking auto‑forwarding helps limit the blast radius of an account compromise.

4. Preventing Uncontrolled Data Exfiltration

Auto‑forwarding is a common method attackers use to silently exfiltrate data from compromised inboxes.
By blocking it, universities:

  • Reduce insider‑risk exposure

  • Prevent long‑term unnoticed data leaks

  • Ensure sensitive communications stay within protected systems

5. Records Retention & eDiscovery Requirements

Universities must comply with:

  • State records laws

  • Litigation holds

  • FOIL/FOIA requests

  • Institutional retention schedules

When email leaves the institution’s system, it becomes:

  • Unsearchable

  • Unrecoverable

  • Unretained

  • Outside legal control

This creates institutional risk during audits, investigations, and legal proceedings.

6. Consistency & Supportability

Supporting every user’s personal email provider is:

  • Operationally impossible

  • Inconsistent with a unified Microsoft 365 environment

  • Misaligned with IT governance and support expectations

Keeping official communication inside M365 ensures consistent delivery, security, and user support.

Summary

Disabling auto‑forwarding isn’t about restricting convenience—it’s about protecting the university and its community.
It helps ensure:

  • FERPA compliance

  • Data security

  • Reduced breach risk

  • Proper records retention

  • Protection from phishing and exfiltration attacks