REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
December 17, 2024
FROM
LYNN FYHRLUND, Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Non-financial Domain-Based Message Authentication, Reporting, and Conformance Monitor Service Agreement with Valimail Inc., for Email Authentication Services
End
RECOMMENDATION(S)
Recommendation
1. Approve non-financial Domain-based Message Authentication, Reporting, and Conformance Monitor Service Agreement, including non-standard terms, with Valimail Inc., for email authentication services beginning upon acceptance and continuing until terminated by either party.
2. Authorize the Chief Information Officer, Assistant Chief Information Officer, or IT Division Chief to electronically accept the agreement in Recommendation No. 1, and future updates to the terms, subject to review by County Counsel, provided that such updated terms do not substantively modify the terms of the agreement in Recommendation No. 1.
3. Direct the Chief Information Officer, Assistant Chief Information Officer, or IT Division Chief to transmit printed copies of any updated terms to the agreement in Recommendation No. 1, that are electronically accepted, to the Clerk of the Board of Supervisors within 30 days of acceptance.
(Presenter: Lynn Fyhrlund, Chief Information Officer, 388-5501)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). Domain-based Message Authentication, Reporting, and Conformance Monitor (DMARC) Service Agreement (Agreement) with Valimail Inc. (Valimail), for email authentication services, does not commit the County to make any purchases. If future purchases are made under the Agreement, the Innovation and Technology Department (ITD) will adhere to County purchasing policies and return to the Board of Supervisors for approval, if necessary.
BACKGROUND INFORMATION
ITD manages the County’s enterprise Microsoft Exchange environment, which provides secure access to emails and calendars, including DMARC services. DMARC is an email authentication protocol that verifies the authorized use of a domain and allows action to be taken if unauthorized use is detected. Further, DMARC helps fine-tune email authentication policies to permit only trusted senders, helping to safeguard against phishing attacks and email deception. DMARC enforcement policies allow domain owners to specify whether unauthorized emails should be rejected or moved to a spam folder. Valimail simplifies DMARC enforcement by blocking unauthorized senders and ensuring emails meet compliance requirements. Additionally, Valimail helps organizations achieve and maintain DMARC enforcement and offers comprehensive inbound and outbound email protection against phishing attacks.
The Agreement is Valimail’s standard commercial agreement, which includes terms that differ or are omitted from the standard County contract. While the parties negotiated certain contract terms to County standards, Valimail would not agree to all County standard terms. The non-standard and missing terms include the following:
1. Valimail may change the Agreement terms without notice at any time.
• County Policy 11-06 requires that any changes to the contract to be reduced to writing, executed and attached to the original contract and approved by the person(s) authorized to do so on behalf of the contractor and County.
• Potential Impact: The County could be agreeing to new terms without review by anyone, including County Counsel, and without approval of the new terms by the Board.
2. Valimail may assign the Agreement without notice to the County and without the County’s approval.
• The County standard contract requires that the County must approve any assignment of the contract.
• Potential Impact: Valimail could assign the Agreement to a third party or business with which the County is legally prohibited from doing business due to issues of Federal debarment or suspension and conflict of interest, without the County’s knowledge. Should this occur, the County could be out of compliance with the law until it becomes aware of the assignment and terminates the Agreement.
3. The Agreement does not require Valimail to indemnify the County, as required by County Policies 11-05 and 11-07, including for intellectual property infringement claims.
• The County standard contract indemnity provision requires the contractor to indemnify, defend, and hold County harmless from third party claims arising out of the acts, errors or omissions of any person. The standard contract provision for intellectual property indemnity is: Contractor will indemnify, defend, and hold harmless County and its officers, employees, agents and volunteers, from any and all third party claims, costs (including without limitation reasonable attorneys’ fees), and losses for infringement of any United States patent, copyright, trademark or trade secret (Intellectual Property Rights) by any goods or services.
• Potential Impact: Valimail is not required to defend, indemnify or hold the County harmless from any claims, including indemnification for claims arising from Valimail’s negligent or intentional acts and intellectual property infringement. If the County is sued for any claim, including intellectual property infringement based on its use of Valimail’s software or services, the County may be solely liable for the costs of defense and damages, which could exceed the total Agreement amount.
4. The County is required to indemnify Valimail against any claims resulting from (a) improper, unauthorized or illegal uses of the service using County credentials; (b) County’s use of the service; or (c) County’s breach of the Agreement.
• The County standard contract does not include any indemnification or defense by the County of a contractor.
• Potential Impact: By agreeing to indemnify Valimail, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against Valimail without such limitations and the County could be responsible to defend and reimburse Valimail for costs, expenses, and damages, which could exceed the total Agreement amount.
5. The Agreement does not require Valimail to meet the County’s insurance standards as required pursuant to County Policies, 11-05, 11-07 and 11-07SP.
• County policy requires contractors to carry appropriate insurance at limits and under conditions determined by the County’s Risk Management Department and as set forth in County policy and in the County standard contract.
• Potential Impact: The County has no assurance that Valimail will be financially responsible for claims that may arise under the Agreement, which could result in expenses to the County that exceed the total Agreement amount.
6. Valimail’s maximum liability to the County is limited to the greater of $100 or the amounts paid under the agreement in the 6 months prior to the event giving rise to the claim.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the Agreement amount leaving the County financially liable for the excess.
ITD recommends approval of the DMARC Agreement, including non-standard terms, to allow the County to maintain a strong email environment that validates and authenticates its senders while maintaining email security and preventing phishing threats.
PROCUREMENT
Purchasing supports the non-competitive procurement of Valimail, following a recommendation from Microsoft, which chose Valimail, in May 2024, as the leading DMARC partner for Microsoft 365 environments. Valimail works seamlessly with the County’s enterprise Microsoft Exchange environment by offering users a modern, efficient path to DMARC enforcement by automating the identification of email senders and the subsequent policy-setting needed to keep domains protected from fraudulent emails, increase deliverability across every domain, and protect the County’s reputation.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on November 21, 2024; Purchasing (Monica Centeno, Supervising Buyer, 386-8046) on December 2, 2024; Risk Management (Gregory Ustaszewski, Staff Analyst II, 386-9008) on November 22, 2024; Finance (Iliana Rodriguez, Administrative Analyst, 387-4205) on November 26, 2024; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on December 2, 2024.