Page MenuHomePhabricator
Create Task
Maniphest T167704

Make donate.wikimedia.org SPF more strict
Closed, ResolvedPublic
Actions

Description

Forked from T133191

donate          5M  IN TXT  "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"

Change ?all to ~all for donate.wikimedia.org, similar to change to plain wikimedia.org being made in T133191

Details

SubjectRepoBranchLines +/-
Change donate.wikimedia.org SPF to soft fail (~all)operations/dnsmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Jun 12 2017, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 12 2017, 5:31 PM
Reedy added projects: Mail, SRE.Jun 12 2017, 5:31 PM
Reedy assigned this task to herron.Jun 12 2017, 5:35 PM
Reedy added a project: fundraising-tech-ops.Jun 12 2017, 5:38 PM
Bawolff subscribed.Jun 12 2017, 5:52 PM

Is donate.wikimedia.org actually used for fundraising related emails? If so we might want to go super strict with DMARC since they are unlikely to be sending to lists and such emails are probably money related

Reedy added a comment.Jun 12 2017, 5:55 PM

IIRC, there was a question of whether other places are still sending FR emails...

Reedy moved this task from Backlog / Other to Operational issues on the acl*security board.Jun 13 2017, 4:56 PM
herron moved this task from Backlog to Up Next on the Mail board.Jun 14 2017, 3:26 PM
Jgreen subscribed.EditedJun 26 2017, 8:42 PM
In T167704#3341807, @Bawolff wrote:

Is donate.wikimedia.org actually used for fundraising related emails? If so we might want to go super strict with DMARC since they are unlikely to be sending to lists and such emails are probably money related

The domain donate.wikimedia.org is used for sending thank-you mail from the fundraising CRM. It should be fine to adjust it the SPF record to soft-fail or fail since it includes all subnets that would originate this mail.

Also the CRM mail is already signed so tightening the DMARC policy should not be a problem.

Jgreen triaged this task as Medium priority.Jun 27 2017, 2:34 PM
herron added a comment.Jun 27 2017, 6:49 PM

Sounds good! I submitted a patch to set soft fail https://gerrit.wikimedia.org/r/#/c/361718/. Do you want to give +1s there as well, or should I go ahead and merge?

herron added a project: Patch-For-Review.Jun 27 2017, 6:50 PM
herron closed this task as Resolved.Jun 30 2017, 5:40 PM

https://gerrit.wikimedia.org/r/#/c/361718/ has been merged and soft fail is now active for donate.wikimedia.org

$ host -t txt donate.wikimedia.org
donate.wikimedia.org descriptive text "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ~all"
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 30 2017, 10:26 PM
Reedy removed a project: Patch-For-Review.
chasemp added a project: Security.Feb 10 2020, 10:58 PM
Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 9:46 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL