Page MenuHomePhabricator

Domains of most projects do not have DMARC policy
Open, MediumPublic

Description

For domains in this list there are no DNS records for SPF and DMARC:

  • mediawiki.org
  • wikibooks.org
  • wikinews.org
  • wikiquote.org
  • wikisource.org
  • wikiversity.org
  • wikivoyage.org
  • wiktionary.org

This creates a potential vulnerability, because anyone can send a letter on behalf of the Wikimedia project. Since, as far as I know, these domains are not used to send messages, the policy can be specified as restrictive as possible (p=reject; sp=reject).

Event Timeline

herron triaged this task as Medium priority.Jan 4 2019, 4:42 PM
Reedy added a subscriber: Beeloser.

The domain wikipedia.org does have a DMARC record however it has been applied incorrectly and therefore is not working.
If the policy is not to deploy DMARC records then the record for wikipedia should probably be removed so as not to confuse.

Is this the right place to ask why there aren't dmarc records deployed? I mean a bad actor could take advantage. As an example, next time there is an appeal for donations to the wiki foundation, a bad actor could could spoof emails from say jimmy.wales@wikipedia.org asking for donations. The unwary could be taken to a look alike site and give their money to the bad actors.