Page MenuHomePhabricator

Emails from discourse-mediawiki.wmflabs.org softfail SPF
Closed, DeclinedPublic

Description

So emails I get from discourse-mediawiki.wmflabs.org have an envelope sender of gmail.com (For VERP I guess. reply-to is also gmail so i guess all inbound mail is handled by gmail), but don't come from gmail. So they softfail SPF.

Example:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) smtp.mailfrom=discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com
Return-Path: <discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com>
Received: from mx-out02.wmflabs.org (instance-mx-out02.cloudinfra.wmflabs.org. [185.15.56.19])
        by mx.google.com with ESMTPS id d135si16525277qke.176.2019.10.13.22.37.34
        for <bawolff+wn@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 13 Oct 2019 22:37:34 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) client-ip=185.15.56.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com does not designate 185.15.56.19 as permitted sender) smtp.mailfrom=discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com
Received: from discourse-mw.discourse.eqiad.wmflabs ([172.16.7.141]:59240 helo=localhost.localdomain) by mx-out02.wmflabs.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <discourse.mediawiki+verp-59f5dae0f1abef8d6c6dbef152564edc@gmail.com>) id 1iJt30-0005Tt-N5 for bawolff+wn@gmail.com; Mon, 14 Oct 2019 05:37:34 +0000

This isn't the worst thing in the world, as most spam filters greylist. But it isn't exactly ideal.

Event Timeline

Qgil added a subscriber: Qgil.

I wonder whether this is a Discourse problem or "just" a problem of our interim setup for our Discourse instances in wmflabs.org.

Both discourse-mediawiki.wmflabs.org and discuss-space.wmflabs.org use mx-out02.wmflabs.org for system notifications but they rely on GMAIL POP3 mailboxes for receiving incoming mail and handle special notifications.

The idea is to use a @wikimedia.org email address at the end (whether that mailbox would still use the GMail infrastructure, I don't know).

Qgil triaged this task as Low priority.Oct 14 2019, 10:01 AM

If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).

Basically its not sent from gmail, but bounces are configured to go to gmail (envelope-sender), so antispam software may consider it fraudulant and mark as spam

If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).

Has this already happened? And if so has this issue persisted?

If yes (and if discourse supports this configuration) it might be worth trying to send outbound mail using a wmflabs.org noreply from address and appending a reply-to header containing the desired gmail POP address (is that discourse.mediawiki@gmail.com?). That should avoid forging a gmail.com from address while directing replies to the desired POP inbox.

Do we know if the software support the configuration change that @herron is suggesting? Could we try it regardless of fate of the project? (just for research/documentation/bugfixing purposes)

discourse-mediawiki.wmflabs.org has been made read-only hence declining this task.