Page MenuHomePhabricator

Wikipedia.org DMARC "rua" and "ruf" email addresses need verification
Open, MediumPublic

Description

The DMARC entry for wikipedia.org now looks like this: v=DMARC1; p=none; sp=none; rua=mailto:dmarc-rua@wikimedia.org; ruf=mailto:dmarc-ruf@wikimedia.org;.

Since "rua" and "ruf" addresses use an external domain (not wikipedia.org), this domain (wikimedia.org) must confirm that it can be used for this purpose. Otherwise, many mail servers will not send messages to these addresses.

As I understand it, this can be done by adding TXT DNS record wikipedia.org._report._dmarc.wikimedia.org with value v=DMARC1.

Event Timeline

herron triaged this task as Medium priority.Jan 4 2019, 4:42 PM

The issue is still present and as such the dmarc record for wikiepedia.org is pretty much redundant.
The dmarc policy is set to none so the benefit to be gained would be the reporting ie the R in DMARC. Without the corresponding change in wikimedia.org there will be no reporting.

Please refer to RFC 7489, Section 7.1, for instructions how to correct this problem.
Expected permission record location: wikipedia.org._report._dmarc.wikimedia.org

You can see some idea of the systems sending emails from wikepedia.org with this link

https://www.senderscore.org/report/?lookup=wikipedia.org&authenticated=true

Is anyone sending email with a wikipedia.org domain? For a while, that was assumed not to happen.

The data from Senderscore shows that there are systems sending email from wikipedia.org

The Senderscore data however will only show the most egregious senders of these emails. If you fix the dmarc reporting you will be able to see who the senders are in more detail. Then decide on the action to take. If you believe that there are no legitimate senders of emails from wikipedia.org then the dmarc policy should almost certainly be to reject unauthenticated emails using the domain.

If you look a little further in the Senderscore data you can see the subdomain ru.wikipedia.org is sending email

Some of the associated senders have low reputations and could well be broadband connections

If the dmarc record for wikipedia.org is fixed then you will receive dmarc data for the subdomains too.