Page MenuHomePhabricator
Create Task
Maniphest T211401

Wikipedia.org DMARC "rua" and "ruf" email addresses need verification
Closed, ResolvedPublic
Actions

Assigned To
Jgreen
Authored By
putnik
Dec 7 2018, 4:22 AM
Tags
Referenced Files
F34157709: image.png
Mar 13 2021, 4:47 PM
F34157722: image.png
Mar 13 2021, 4:47 PM
F34157368: image.png
Mar 13 2021, 11:54 AM
Subscribers
Aklapper
Beeloser
Jgreen
MBH
Nemo_bis
putnik
RhinosF1
SerDIDG
Tokens
"Like" token, awarded by putnik.

Description

The DMARC entry for wikipedia.org now looks like this: v=DMARC1; p=none; sp=none; rua=mailto:dmarc-rua@wikimedia.org; ruf=mailto:dmarc-ruf@wikimedia.org;.

Since "rua" and "ruf" addresses use an external domain (not wikipedia.org), this domain (wikimedia.org) must confirm that it can be used for this purpose. Otherwise, many mail servers will not send messages to these addresses.

As I understand it, this can be done by adding TXT DNS record wikipedia.org._report._dmarc.wikimedia.org with value v=DMARC1.

Details

SubjectRepoBranchLines +/-
Fix DMARC external domain verification records.operations/dnsmaster+2 -2
DMARC External Domain Verification for wikipedia.org and w.wiki.operations/dnsmaster+4 -0
Customize query in gerrit

Event Timeline

putnik created this task.Dec 7 2018, 4:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 7 2018, 4:22 AM
MBH subscribed.Dec 7 2018, 4:35 AM
SerDIDG subscribed.Dec 7 2018, 4:38 AM
Reedy added a project: SRE.Dec 7 2018, 6:59 AM
Dzahn moved this task from Backlog to DMARC on the Mail board.Dec 11 2018, 7:53 PM
herron triaged this task as Medium priority.Jan 4 2019, 4:42 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:50 PM
Beeloser subscribed.Mar 13 2021, 11:54 AM

The issue is still present and as such the dmarc record for wikiepedia.org is pretty much redundant.
The dmarc policy is set to none so the benefit to be gained would be the reporting ie the R in DMARC. Without the corresponding change in wikimedia.org there will be no reporting.

Please refer to RFC 7489, Section 7.1, for instructions how to correct this problem.
Expected permission record location: wikipedia.org._report._dmarc.wikimedia.org

You can see some idea of the systems sending emails from wikepedia.org with this link

https://www.senderscore.org/report/?lookup=wikipedia.org&authenticated=true

image.png (535×1 px, 46 KB)

RhinosF1 subscribed.Mar 13 2021, 12:54 PM
Nemo_bis subscribed.Mar 13 2021, 3:34 PM

Is anyone sending email with a wikipedia.org domain? For a while, that was assumed not to happen.

Beeloser added a comment.Mar 13 2021, 4:31 PM

The data from Senderscore shows that there are systems sending email from wikipedia.org

The Senderscore data however will only show the most egregious senders of these emails. If you fix the dmarc reporting you will be able to see who the senders are in more detail. Then decide on the action to take. If you believe that there are no legitimate senders of emails from wikipedia.org then the dmarc policy should almost certainly be to reject unauthenticated emails using the domain.

Beeloser added a comment.Mar 13 2021, 4:47 PM

If you look a little further in the Senderscore data you can see the subdomain ru.wikipedia.org is sending email

image.png (414×393 px, 17 KB)

Some of the associated senders have low reputations and could well be broadband connections

image.png (405×1 px, 37 KB)

If the dmarc record for wikipedia.org is fixed then you will receive dmarc data for the subdomains too.

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
gerritbot added a comment.Sep 9 2022, 3:09 PM

Change 831104 had a related patch set uploaded (by Jgreen; author: Jgreen):

[operations/dns@master] DMARC External Domain Verification for wikipedia.org and w.wiki.

https://gerrit.wikimedia.org/r/831104

gerritbot added a project: Patch-For-Review.Sep 9 2022, 3:09 PM
Jgreen subscribed.Sep 9 2022, 3:13 PM

There's a nice summary of this issue here https://dmarcian.com/what-is-external-destination-verification/

gerritbot added a comment.Sep 13 2022, 11:08 AM

Change 831104 merged by Jgreen:

[operations/dns@master] DMARC External Domain Verification for wikipedia.org and w.wiki.

https://gerrit.wikimedia.org/r/831104

gerritbot added a comment.Sep 13 2022, 11:15 AM

Change 831843 had a related patch set uploaded (by Jgreen; author: Jgreen):

[operations/dns@master] Fix DMARC external domain verification records.

https://gerrit.wikimedia.org/r/831843

gerritbot added a comment.Sep 13 2022, 11:17 AM

Change 831843 merged by Jgreen:

[operations/dns@master] Fix DMARC external domain verification records.

https://gerrit.wikimedia.org/r/831843

Maintenance_bot removed a project: Patch-For-Review.Sep 13 2022, 11:30 AM
Jgreen closed this task as Resolved.Sep 13 2022, 11:37 AM
Jgreen claimed this task.

;; ANSWER SECTION:
w.wiki._report._dmarc.wikimedia.org. 3600 IN TXT "v=DMARC1;"

;; ANSWER SECTION:
wikipedia.org._report._dmarc.wikimedia.org. 3600 IN TXT "v=DMARC1;"

putnik awarded a token.Sep 13 2022, 3:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL