Page MenuHomePhabricator
Create Task
Maniphest T220412

Identify appropriate SPF record for domain wikimediafoundation.org
Closed, ResolvedPublic
Actions

Description

In order to strengthen mail security for the wikimediafoundation.org domain SRE would like to add an SPF record.

Typically the record would look something like:

v=spf1 include:wikimedia.org ~all

However, it is unclear at this time if the above would be sufficient for wikimediafoundation.org, or if additional entries are required in order to support mail sent by 3rd party systems.

So, creating this task to identify the appropriate SPF record for the wikimediafoundation.org domain.

Details

SubjectRepoBranchLines +/-
wikimediafoundation.org: add spf recordoperations/dnsmaster+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

herron triaged this task as Medium priority.Apr 8 2019, 3:10 PM
herron created this task.
DStrine moved this task from Triage to Blocked or not fr-tech on the Fundraising-Backlog board.Apr 8 2019, 8:08 PM
Jgreen subscribed.Apr 8 2019, 8:10 PM

As far as I know, fundraising does not send mail using this domain but only from wikimedia.org, so I don't think our mass mail contractor needs to be listed.

gerritbot added a comment.Apr 9 2019, 7:28 PM

Change 502589 had a related patch set uploaded (by Herron; owner: Herron):
[operations/dns@master] wikimediafoundation.org: add spf record

https://gerrit.wikimedia.org/r/502589

gerritbot added a project: Patch-For-Review.Apr 9 2019, 7:28 PM
herron added a comment.Apr 9 2019, 7:33 PM
In T220412#5095320, @Jgreen wrote:

As far as I know, fundraising does not send mail using this domain but only from wikimedia.org, so I don't think our mass mail contractor needs to be listed.

I noticed there is a DKIM record in the wikimediafoundation.org zone, I wonder what this is/was used by?

$ host -t txt fundraising._domainkey.wikimediafoundation.org
fundraising._domainkey.wikimediafoundation.org descriptive text "v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC61rCxt6xGKmVoId8fqGM1UTnBugf5chUdQfoCDpsgXqQVF1tOacwj3bF9fQdnqVhWeoGwiWOhfB13k/cfPKELgsJKKXEyk7cyBTV4BQ2JqmbPS4m0dD+imISrviPKjNG4uHA4FrjzYiVuv8EzZQw7tUtJuMC26BXZYqi/5YIpFQIDAQAB;"

In the mean time I've uploaded a patch to add a vanilla SPF record to this domain, as a starting point.

Jgreen added a comment.Apr 10 2019, 6:33 PM
In T220412#5098902, @herron wrote:

I noticed there is a DKIM record in the wikimediafoundation.org zone, I wonder what this is/was used by?

It looks like the DKIM record was added in 2011 "for testing" and never refreshed. My guess is it was never used.

Dzahn unsubscribed.Apr 10 2019, 6:35 PM
gerritbot added a comment.Apr 11 2019, 3:29 PM

Change 502589 merged by Herron:
[operations/dns@master] wikimediafoundation.org: add spf record

https://gerrit.wikimedia.org/r/502589

herron closed this task as Resolved.Apr 11 2019, 3:33 PM
herron claimed this task.

The below SPF record is now active

wikimediafoundation.org descriptive text "v=spf1 include:wikimedia.org ~all"
Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 9:43 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 13 2020, 10:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL