Whenever possible, Canvas uses a subdomain of <domain>.instructure.com to host additional resources. This behavior allows institutions to allow *.instructure.com and cover a range of services that Canvas provides.
Some of the built-in functionality of Canvas is accessed via a separate URL that will also need to be allowed:
Canvas Images/File Storage (except Media)
Canvas Media Storage
Conferences - BigBlueButton basic integration
Course Content Images
Gravatar Images (Profile Pictures)
Office 365 Integration
Google Docs Integration
Google Drive Integration
Import Scripts and Canvas Resources
Rich Content Editor Math Equations
Quizzes and Outcomes Domains
Quizzes and Outcomes URLs follow a similar pattern to Canvas URLs with the addition of the Amazon Web Services (AWS) region (IAD, PDX, YUL, DUB, FRA, SYD, SIN). Also, Quizzes has two application URLs instead of just one.
For institutions unsure about which region to use for an account, please contact Canvas Support or a Customer Success Manager.
Email Notification IP Addresses
SMTP allows any computer to send email claiming to be from any source address. Spammers and phishing often use this to forge email addresses, making it more difficult to trace a message back to its sender and easy for spammers to hide their identity in order to avoid responsibility; they even dupe users into disclosing private information in response to an email.
Canvas uses SPF, which is an email validation system designed to prevent email SPAM and phishing by detecting and preventing email spoofing. SPF allows administrators to specify which hosts (IP addresses, computers) are allowed to send mail from a given domain by creating specific SPF records in the DNS. Mail exchangers then use the DNS to verify mail from a given domain is being sent by a sanctioned host.
Canvas also uses DomainKeys Identified Mail (DKIM) to sign mail. DKIM associates our domain name to an email message, thereby allowing Canvas to claim responsibility for the message (sign the message). The digital signature is validated by recipient. Responsibility is claimed by a signer (instructure.com), independently of the message's actual authors or recipients, by adding a DKIM-Signature: field to the message's header. The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content.
If customers cannot receive email notifications from Canvas, emails are typically being sent to the Spam folder. To correct this behavior, update spam settings to allow emails from instructure.com.
Note: The IP list may be updated at any time. Updates to the list will be posted in the Canvas Deploy Notes.
Most LDAP servers are not publicly available and are protected by firewalls. Canvas admins can create an allowed list of firewall exceptions to connect to their LDAP server. Canvas designates a set of servers and their associated static IP addresses to simplify these firewall exception rules. Please see the list in Canvas LDAP addresses.
Note:The IP list may be updated at any time. Updates to the list will be posted in theCanvas Deploy Notes.