Page MenuHomePhabricator

SPF record for canonical domains
Closed, ResolvedPublic

Description

Currently for the so called canonical domains (https://wikitech.wikimedia.org/wiki/HTTPS#For_the_Foundation's_canonical_domainnames) we have SPF records for 2/14 domains:

  • wikipedia.org
  • wikimedia.org
  • wiktionary.org
  • wikiquote.org
  • wikibooks.org
  • wikisource.org
  • wikinews.org
  • wikiversity.org
  • wikidata.org
  • wikivoyage.org
  • wikimediafoundation.org
  • mediawiki.org
  • wmfusercontent.org
  • w.wiki

If those 12 domains do not have a SPF record because they are not being used to send email then according to http://www.openspf.org/SPF_Record_Syntax they should have a SPF record forbidding sending email: v=spf1 -all" or they lack a proper SPF record like the one configured for wikipedia.org or wikimedia.org

Event Timeline

I don't think other domains are used for sending emails. And I'm guessing wikipedia.org is probably only mostly used with OTRS.

Seems worthwhile doing as a hardening measure, for sure.

Are any of the rest used for inbound email either?

I just noticed in CommonSettings.php... Why is it wikipedia not wikimedia? :P

$wgEmergencyContact = 'noc@wikipedia.org';

While we're at it there are many other domains in our control (e.g. the .tld variants of the canonical domains) that we can adjust SPF for as well.

Since this involves reviewing the intended mail flow for each domain anyway, how about we gather and organize this info for future reference? As an example I created https://wikitech.wikimedia.org/wiki/Domains and populated it with a domain list from operations/dns. We could document the high level attributes of our domains here (like description, canonical, smtp in/out, https, owner, etc.) making it easier to ensure the actual config matches our expectation.

Change 429871 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] w.wiki: add SPF record, disallow email

https://gerrit.wikimedia.org/r/429871

Change 429874 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add SPF record to disallow email for all parked domains

https://gerrit.wikimedia.org/r/429874

.. there are many other domains in our control (e.g. the .tld variants of the canonical domains) that we can adjust SPF for as well.
.. I created https://wikitech.wikimedia.org/wiki/Domains and populated it with a domain list from operations/dns

Hi, so i have some old RT ticket(s) and Google docs that have even way more domains than the ones you can see in DNS. And a very old ticket about getting that list updated or giving up on it. Happy to talk about that some time.

But first about the ones in our DNS zones: I once symlinked all the "non-canonical" variant domains etc. to a single common template called "parking".

So if you edit just that parking template like here: https://gerrit.wikimedia.org/r/#/c/429874/

you should be able to cover a LARGE portion of that table all at once :)

In my Gerrit change i am suggesting to add the "v=spf1 -all" right there so we would declare that all "parked" domains can't have email which makes sense to me. The question whether something could be parked was already answered sometime in the past for these.

1~/dns/templates$ ls -hals | grep parking | cut -d " " -f17,18,19
2border-wikipedia.de -> parking
3donatetowikipedia.com -> parking
4donatetowikipedia.org -> parking
5indiawikipedia.com -> parking
6
7softwarewikipedia.com -> parking
8softwarewikipedia.net -> parking
9softwarewikipedia.org -> parking
10vikipedia.com.tr -> parking
11vikipedi.com.tr -> parking
12visualwikipedia.com -> parking
13visualwikipedia.net -> parking
14voyagewiki.com -> parking
15voyagewiki.org -> parking
16webhostingwikipedia.com -> parking
17wekipedia.com -> parking
18wicipediacymraeg.org -> parking
19wiikipedia.com -> parking
20wikiartpedia.biz -> parking
21wikiartpedia.co -> parking
22wikiartpedia.info -> parking
23wikiartpedia.me -> parking
24wikiartpedia.mobi -> parking
25wikiartpedia.net -> parking
26wikiartpedia.org -> parking
27wikidata.pt -> parking
28wikidisclosure.com -> parking
29wikidisclosure.org -> parking
30wikidpedia.org -> parking
31wikiepdia.com -> parking
32wikiepdia.org -> parking
33wikifamily.com -> parking
34wikifamily.org -> parking
35wikimania.asia -> parking
36wikimaps.com -> parking
37wikimaps.net -> parking
38wikimaps.org -> parking
39wikimedia.biz -> parking
40wikimediacommons.co.uk -> parking
41wikimediacommons.info -> parking
42wikimediacommons.jp.net -> parking
43wikimediacommons.mobi -> parking
44wikimediacommons.net -> parking
45wikimediacommons.org -> parking
46wikimediastories.com -> parking
47wikimediastories.net -> parking
48wikimediastories.org -> parking
49wikimedia.xyz -> parking
50wikimemory.net -> parking
51wikimemory.org -> parking
52wikimobipedia.com -> parking
53wikimobipedia.net -> parking
54wikipaedia.net -> parking
55wikipedia.com.ar -> parking
56wikipedia.co.uk -> parking
57wikipedia.es -> parking
58wikipedia.lol -> parking
59wikipedial.org -> parking
60wiki-pedia.org -> parking
61wikipedia.sk -> parking
62wikipediastats.com -> parking
63wikipediastats.net -> parking
64wikipediastats.org -> parking
65wikipediastories.com -> parking
66wikipediastories.net -> parking
67wikipediastories.org -> parking
68wikipediavideos.com -> parking
69wikiquote.pl -> parking
70wikiquotes.info -> parking
71wiki.voyage -> parking
72wikjpedia.org -> parking
73wiktionary.pl -> parking
74wilkipedia.org -> parking
75xn--80adgdym4pbd.xn--j1amh -> parking
76xn--80adgfman1aa4l.xn--p1ai -> parking
77xn--b1aajamacm1dkmb.xn--p1ai -> parking

Maybe fr-tech should be added to this ticket given that FR does email campaigns using external providers, like silverpop.

Change 430008 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] wmfusercontent.org: add SPF record to disable email

https://gerrit.wikimedia.org/r/430008

RobH triaged this task as Medium priority.May 1 2018, 2:36 PM
RobH subscribed.

I'm attempting to set the priority for all unassigned SRE/Ops tasks under SRE. This appears to be a normal (or possibly high) priority.

Change 429871 merged by Herron:
[operations/dns@master] w.wiki: add SPF record, disallow email

https://gerrit.wikimedia.org/r/429871

Change 430008 merged by Herron:
[operations/dns@master] wmfusercontent.org: add SPF record to disable email

https://gerrit.wikimedia.org/r/430008

Change 429874 merged by Herron:
[operations/dns@master] add SPF record to disallow email for all parked domains

https://gerrit.wikimedia.org/r/429874

Vvjjkkii renamed this task from SPF record for canonical domains to vydaaaaaaa.Jul 1 2018, 1:13 AM
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.

Change 499255 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/dns@master] Add default SPF record for canonical domains

https://gerrit.wikimedia.org/r/499255

Vgutierrez raised the priority of this task from Medium to High.EditedMar 26 2019, 5:17 PM

After almost one year I think it's time to move forward this task.

With https://gerrit.wikimedia.org/r/c/operations/dns/+/499255 I suggest using the SPF record used for wikipedia.org as the default one for the rest of the canonical domains that lack a SPF record right now: v=spf1 include:wikimedia.org ~all.

I excluded on purpose wikimediafoundation.org cause right now is using DKIM so maybe somebody from fundraising could speak up about this specific domain?

; DKIM domain policy record
_domainkey  1H  IN TXT  "o=~; r=hostmaster@wikimediafoundation.org;"

; DKIM selector key(s)
fundraising._domainkey  1H  IN TXT  "v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC61rCxt6xGKmVoId8fqGM1UTnBugf5chUdQfoCDpsgXqQVF1tOacwj3bF9fQdnqVhWeoGwiWOhfB13k/cfPKELgsJKKXEyk7cyBTV4BQ2JqmbPS4m0dD+imISrviPKjNG4uHA4FrjzYiVuv8EzZQw7tUtJuMC26BXZYqi/5YIpFQIDAQAB;"

Change 499255 merged by Vgutierrez:
[operations/dns@master] Add default SPF record for canonical domains

https://gerrit.wikimedia.org/r/499255

herron claimed this task.
herron updated the task description. (Show Details)

Change 503165 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/dns@master] Add SPF record for wikisource.org

https://gerrit.wikimedia.org/r/503165

Change 503177 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/dns@master] Add SPF record for wikibooks.org

https://gerrit.wikimedia.org/r/503177

Change 503165 merged by Vgutierrez:
[operations/dns@master] Add SPF record for wikisource.org

https://gerrit.wikimedia.org/r/503165

Change 503177 merged by Vgutierrez:
[operations/dns@master] Add SPF record for wikibooks.org

https://gerrit.wikimedia.org/r/503177