Page MenuHomePhabricator
Create Task
Maniphest T272750

ITS request to update SPF & DNS Records for Trust & Safety
Closed, DeclinedPublic
Actions

Description

Hello,

I'm submitting a ticket on behalf of Trust and Safety with regards to the Zendesk Ticketing instance that we are implementing.

They are interested in allowing Zendesk to send emails on behalf of our email domain(wikimedia.org) for the following addresses:

emergency@wikimedia.org
ca@wikimedia.org
trustandsafety@wikimedia.org

There may be additional teams/addresses(Talent and Culture, and Security have expressed interest) in the future that would like to utilize this functionality as well, however their emails have not been setup to forward into Zendesk yet(gone live with Zendesk).

By default, replies from Zendesk will be coming from a Zendesk support address(e.g. trustandsafety@wikimediats.zendesk.com). The teams would like these replies to use the same origin address that users are reaching out to(e.g. trustandsafety@wikimedia.org)

https://support.zendesk.com/hc/en-us/articles/203683886-Allowing-Zendesk-to-send-email-on-behalf-of-your-email-domain

Zendesk recommends that in order for this setup to work we would need to add Zendesk's mail server to an SPF record on the wikimedia.org domain.

For example, we could add the following:

v=spf1 include:mail.zendesk.com ?all

or if we already have an existing SPF record we can include Zendesk as an additional reference as well:

v=spf1 include:_spf.google.com include:mail.zendesk.com ~all

They also mentioned that we will need to add a TXT record to our DNS server that Zendesk will check to validate that Zendesk is able to send emails on behalf of wikimedia.org.

The DNS text record would need to be created for zendeskverification.wikimedia.org that contains the following value "9332ffbb3c7098a7"(as shown in the table below).

Screen Shot 2021-01-22 at 4.39.40 PM.png (140×1 px, 32 KB)

Please let me know if any further details are needed!

Thanks,
Peter

Related Objects

Event Timeline

pkang created this task.Jan 22 2021, 9:48 PM
Restricted Application added a project: Traffic. · View Herald TranscriptJan 22 2021, 9:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Aklapper added a comment.Jan 22 2021, 9:51 PM

This reminds me a bit of T189065#4031997.

Maintenance_bot added a project: SRE.Jan 22 2021, 10:45 PM
Reedy subscribed.Jan 23 2021, 4:58 PM

Current SPF is in https://raw.githubusercontent.com/wikimedia/operations-dns/b34bfdb0b90ad250d31137eb228e3421c9bafd4c/templates/wikimedia.org

; SPF txt and rr records
@               600 IN TXT  "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ~all"
@               600 IN TXT  "FC0MOB7SKLHj0AsevTnJvE0W0YYQkPVYOX3UMrINOSk="
Legoktm subscribed.Jan 25 2021, 7:18 PM

From the Greenhouse task @Aklapper linked:

In T189065#4031997, faidon wrote:

This has been discussed in bigger requests a couple of times before (T103893, T84201) for Greenhouse specfically, plus a bunch of other times for other third-party services. The TL;DR is that we don't really like whitelisting in SPF/DKIM/DMARC for wikimedia.org for all of the third-party services that we use, because that opens up attack vectors like email spoofing, CEO fraud to entities that we do not control nor are able to vet their security. The alternative we had proposed before was to use a separate subdomain (careers.wikimedia.org). It's still non-ideal, but it's better than allowing them and others like them to send emails us as <insert ED name>@wikimedia.org for instance.

Can these emails be sent from a subdomain like @zendesk.wikimedia.org?

Legoktm triaged this task as Medium priority.Jan 25 2021, 7:18 PM
pkang added a comment.Jan 27 2021, 9:38 PM

@drochford hey david, based on Andre's last comment, would the team be open to have the emails be sent from a subdomain like @zendesk.wikimedia.org?

drochford added a comment.Feb 2 2021, 3:26 AM

Apologies for the tardiness @pkang - Following up with Nasma (Ops Manager). Will revert then.

pkang added a comment.Feb 22 2021, 7:28 PM

Hi all, per my slack conversation with David, the T&S team is okay with continuing to use the default reply address. Please feel free to close this ticket as no further action is required at this time.

Legoktm closed this task as Declined.Feb 22 2021, 7:31 PM
revi mentioned this in T378285: Emails from wikimediats.zendesk.com fails DMARC policy.Oct 27 2024, 1:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits