Page MenuHomePhabricator

Allow Qualtrics to send @wikimedia.org emails using an SPF record or an SMTP relay
Closed, ResolvedPublic

Description

I am working on the New Editor Experiences, a research project where we are traveling to South Korea and the Czech Republic to interview new Wikipedia editors.

In order to arrange these interviews, we need to send emails to a select group of registered users (about 2 500 for each country) explaining the project and inviting them to take a survey. We are using Qualtrics to host the survey and send these emails, since it's the only service provider vetted by Legal for this purpose. (Legal has also vetted this project generally).

In order to comply with anti-spam laws (and to generally make our emails more trustworthy), we need to send these emails from an official domain like wikimedia.org. Qualtrics provides two ways to do this:

  • setting the following SPF record for wikimedia.org: “v=spf1 include:_spf.qualtrics.com ?all”
  • setting up a connection to an SMTP relay.

@bbogaert has told me that either the SPF record or a connection to the Ops SMTP relay would be preferable, to avoid giving Qualtrics full access to a WMF Google account.

Unfortunately, we have a very tight timeline on this, since our research trip to South Korea starts on May 16 (with tickets booked and researchers hired) and we need enough time for recruiting to happen before that. This would need to happen by this Friday, May 5 (I apologize—this short notice is my fault for failing to identify this issue before). If this isn't possible, we'll have to fall back to using a Google SMTP relay.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 3 2017, 8:20 PM
faidon added a subscriber: faidon.May 4 2017, 1:12 AM

We don't generally add third-parties to our SPF or DKIM records (there is one exception, with a long and complicated history). Among other concerns, this allows these third-parties to impersonate accounts on our domain, which is a pretty bad idea: even if the legal agreement is ironclad, we're still effectively relying on their security for our own security, and vendor security can vary a lot.

The alternative we usually propose is to either use a subdomain for this purpose (something.wikimedia.org) or a completely separate domain, and then set up SPF/DKIM/DMARC for these.

In this case it also sounds like an alternative is to set up a regular WMF account and have Qualtrics use that as a regular user instead. This sounds like a better alternative to me, but I don't know what Byron/OIT's concerns were and they may well be justified. Could one of you give more background about this and why this option was not favored?

Neil_P._Quinn_WMF added a comment.EditedMay 4 2017, 3:32 AM

Thanks for the details, @faidon. It makes sense that we would not want to give full mail-sending authority to a third party, no matter how trustworthy. It sounds like giving Qualtrics access to our SMTP relay would run into the same problem?

You are correct that a subdomain (surveys.wikimedia.org, for example) would work just as well for our purposes.

In this case it also sounds like an alternative is to set up a regular WMF account and have Qualtrics use that as a regular user instead. This sounds like a better alternative to me, but I don't know what Byron/OIT's concerns were and they may well be justified. Could one of you give more background about this and why this option was not favored?

Yes, technically, this is definitely an option as well, but as I understood it Byron had some security concerns (what a coincidence :) @bbogaert, could you elaborate a bit?

MaxSem added a subscriber: MaxSem.May 4 2017, 8:56 PM

Hi @faidon ,

I found a workaround to avert our security concerns, and use gmail smtp, because Neil did not need the "reply-to" address to be qualtrics@wikimedia.org. If the "reply-to" address was needed we would have had to place cn=qualtrics in ou=people, ou=corp, ou=wikimedia, ou=org instead of ou=qualtrics, ou=corp, ou=wikimedia, ou=org so the address would receive mail. The ou=qualtrics, ou=corp, ou=wikimedia, ou=org is not replicated in production LDAP and does not receive mail.

The security concern was that if cn=qualtrics had been in the ou=people, ou=corp, ou=wikimedia, ou=org it would have had access to other G-Suite products besides mail (Drive, Calendar, Hangouts, etc.). However, because we placed cn=qualtrics in ou=qualtrics, ou=corp, ou=wikimedia, ou=org we were able to turn off all other services except G-mail. I did look for a way to turn off G-Suite Apps at the user level, but this was not an option. Also, there was not a "special way" to have a SMTP relay user that was "out-of-band" of a regular user. Placing the qualtrics user in a different object unit was the most elegant solution I could find.

I hope this solutions will work for everyone. Please, let me know if we need to change it.

Thanks,
Byron

Removing Ops since it seems like there's no action needed from them. Keeping the task open while we set up Byron's workaround.

faidon added a comment.May 8 2017, 1:31 PM

Alright, thank you @bbogaert for the workaround, that was smart! Much appreciated.

Good luck with your survey @Neil_P._Quinn_WMF :)

revi added a subscriber: revi.May 8 2017, 1:34 PM
Neil_P._Quinn_WMF closed this task as Resolved.May 10 2017, 6:34 PM
Neil_P._Quinn_WMF claimed this task.

We were able to successfully give Qualtrics access to the G Suite SMTP relay. Thank you for your help, @faidon and @bbogaert!