Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Change donate.wikimedia.org SPF to soft fail (~all) | operations/dns | master | +1 -1 |
Related Objects
- Mentioned Here
- T133191: Make SPF for wikimedia.org more strict
Event Timeline
Is donate.wikimedia.org actually used for fundraising related emails? If so we might want to go super strict with DMARC since they are unlikely to be sending to lists and such emails are probably money related
The domain donate.wikimedia.org is used for sending thank-you mail from the fundraising CRM. It should be fine to adjust it the SPF record to soft-fail or fail since it includes all subnets that would originate this mail.
Also the CRM mail is already signed so tightening the DMARC policy should not be a problem.
Sounds good! I submitted a patch to set soft fail https://gerrit.wikimedia.org/r/#/c/361718/. Do you want to give +1s there as well, or should I go ahead and merge?
https://gerrit.wikimedia.org/r/#/c/361718/ has been merged and soft fail is now active for donate.wikimedia.org
$ host -t txt donate.wikimedia.org donate.wikimedia.org descriptive text "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ~all"