Page MenuHomePhabricator
Create Task
Maniphest T354112

Ensure Toolforge and Cloud VPS comply with Google's new email sender guidelines
Closed, ResolvedPublic
Actions

Description

Google has announced new requirements for sending email to gmail accounts effective 2024-02-01, and we should ensure we meet those.

Requirements for all senders

  • Set up SPF or DKIM email authentication for your domain.
    • SPF should be OK. For DKIM I think we currently sign with ed25519 keys only and I think Google only supports RSA keys so we may need to double-sign here.
    • Fixed.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
    • We should be ok.
  • Use a TLS connection for transmitting email.
    • We should be ok.
  • Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher.
    • No idea, need to check.
  • Format messages according to the Internet Message Format standard (RFC 5322).
    • I assume we are ok here.
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
    • We should be ok, although restricting folks from using non-WMCS domains via our relays might be a smart move. T341004
    • Done.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email.
    • Toolforge does this, and Cloud VPS does not relay emails. We do SRS but not ARC. Will need to fix.

Requirements for high-volume senders

I don't have data on this atm but I would not be surprised if we're over the 5k emails per day threshold.

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none.
    • We don't have a DMARC policy at all at the moment.
    • Fixed.
  • For direct mail, the domain in the sender's From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
    • Need to check if cron email etc passes this, or if we need to add some more rewrites.
  • Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.
    • No clue how they define marketing and subscribed messages, but we certainly don't support one-click unsubscribe for anything.

Details

SubjectRepoBranchLines +/-
Add fake ARC signing keyslabs/privatemaster+0 -0
P:toolforge::mailrelay: add Authentication-Results headeroperations/puppetproduction+2 -0
P:toolforge::mailrelay: reject mail not using Toolforge domainsoperations/puppetproduction+20 -6
P:mail::smarthost: support DKIM dual-signingoperations/puppetproduction+15 -11
Add fake wmcs-rsa DKIM keys for Cloud VPSlabs/privatemaster+0 -0
P:toolforge::mailrelay: double-sign mail with RSA DKIM keysoperations/puppetproduction+7 -5
Add fake toolforge-rsa DKIM keyslabs/privatemaster+0 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Dec 30 2023, 12:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 30 2023, 12:34 PM
taavi updated the task description. (Show Details)Dec 30 2023, 12:36 PM
RhinosF1 subscribed.Dec 30 2023, 1:29 PM
taavi claimed this task.Jan 8 2024, 1:22 PM
taavi added a subtask: T341004: Require mail sent via the Toolforge mail servers uses a Toolforge domain.
taavi updated the task description. (Show Details)Jan 8 2024, 1:25 PM
gerritbot added a comment.Jan 8 2024, 1:29 PM

Change 988489 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge::mailrelay: double-sign mail with RSA DKIM keys

https://gerrit.wikimedia.org/r/988489

gerritbot added a project: Patch-For-Review.Jan 8 2024, 1:29 PM
gerritbot added a comment.Jan 8 2024, 1:45 PM

Change 988494 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/private@master] Add fake toolforge-rsa DKIM keys

https://gerrit.wikimedia.org/r/988494

gerritbot added a comment.Jan 8 2024, 2:05 PM

Change 988494 merged by Majavah:

[labs/private@master] Add fake toolforge-rsa DKIM keys

https://gerrit.wikimedia.org/r/988494

taavi mentioned this in rLPRIa14721feba56: Add fake toolforge-rsa DKIM keys.Jan 8 2024, 2:06 PM
gerritbot added a comment.Jan 8 2024, 2:42 PM

Change 988489 merged by Majavah:

[operations/puppet@production] P:toolforge::mailrelay: double-sign mail with RSA DKIM keys

https://gerrit.wikimedia.org/r/988489

Maintenance_bot removed a project: Patch-For-Review.Jan 8 2024, 3:30 PM
Stashbot added a comment.Jan 8 2024, 3:52 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-08T15:52:38Z] <taavi> verify wmcloud.org, wmflabs.org and toolforge.org in gmail postmaster console to figure out how much google likes us (T354112)

jhathaway subscribed.Jan 8 2024, 5:19 PM
fnegri subscribed.Jan 8 2024, 5:52 PM
gerritbot added a comment.Jan 11 2024, 10:47 AM

Change 989736 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:mail::smarthost: support DKIM dual-signing

https://gerrit.wikimedia.org/r/989736

gerritbot added a project: Patch-For-Review.Jan 11 2024, 10:47 AM
gerritbot added a comment.Jan 11 2024, 10:50 AM

Change 989738 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/private@master] Add fake wmcs-rsa DKIM keys for Cloud VPS

https://gerrit.wikimedia.org/r/989738

gerritbot added a comment.Jan 11 2024, 11:45 AM

Change 989738 merged by Majavah:

[labs/private@master] Add fake wmcs-rsa DKIM keys for Cloud VPS

https://gerrit.wikimedia.org/r/989738

taavi mentioned this in rLPRI61a3030889a0: Add fake wmcs-rsa DKIM keys for Cloud VPS.Jan 11 2024, 11:47 AM
gerritbot added a comment.Jan 11 2024, 12:05 PM

Change 971892 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge::mailrelay: reject mail not using Toolforge domains

https://gerrit.wikimedia.org/r/971892

taavi updated the task description. (Show Details)Jan 11 2024, 12:21 PM
gerritbot added a comment.Jan 11 2024, 3:49 PM

Change 989736 merged by Majavah:

[operations/puppet@production] P:mail::smarthost: support DKIM dual-signing

https://gerrit.wikimedia.org/r/989736

taavi moved this task from Backlog to Ready to be worked on on the Toolforge board.Jan 16 2024, 4:31 PM
taavi edited projects, added Toolforge (Toolforge iteration 03); removed Toolforge.
taavi moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 03) board.
gerritbot added a comment.Jan 18 2024, 9:07 AM

Change 971892 merged by Majavah:

[operations/puppet@production] P:toolforge::mailrelay: reject mail not using Toolforge domains

https://gerrit.wikimedia.org/r/971892

Maintenance_bot removed a project: Patch-For-Review.Jan 18 2024, 9:30 AM
dcaro changed the task status from Open to In Progress.Jan 18 2024, 5:06 PM
taavi closed subtask T341004: Require mail sent via the Toolforge mail servers uses a Toolforge domain as Resolved.Jan 22 2024, 6:32 PM
Tgr added a parent task: T355712: Ensure Wikimedia complies with Google's new email sender guidelines.Jan 23 2024, 7:40 PM
dcaro edited projects, added Toolforge (Toolforge iteration 04); removed Toolforge (Toolforge iteration 03).Jan 24 2024, 9:17 AM
dcaro moved this task from Next Up to In Progress on the Toolforge (Toolforge iteration 04) board.
taavi added a subtask: T311910: Upgrade Toolforge mail server to Debian Bullseye or later.Jan 29 2024, 12:57 PM
gerritbot added a comment.Jan 29 2024, 2:28 PM

Change 993697 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:toolforge::mailrelay: add Authentication-Results header

https://gerrit.wikimedia.org/r/993697

gerritbot added a project: Patch-For-Review.Jan 29 2024, 2:28 PM
taavi changed the status of subtask T356171: Enable ARC support in Toolforge from Open to In Progress.Jan 30 2024, 11:48 AM
gerritbot added a comment.Jan 30 2024, 12:26 PM

Change 993697 merged by Majavah:

[operations/puppet@production] P:toolforge::mailrelay: add Authentication-Results header

https://gerrit.wikimedia.org/r/993697

Maintenance_bot removed a project: Patch-For-Review.Jan 30 2024, 12:30 PM
gerritbot added a comment.Jan 30 2024, 12:48 PM

Change 994163 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/private@master] Add fake ARC signing keys

https://gerrit.wikimedia.org/r/994163

gerritbot added a project: Patch-For-Review.Jan 30 2024, 12:48 PM

Change 994163 merged by Majavah:

[labs/private@master] Add fake ARC signing keys

https://gerrit.wikimedia.org/r/994163

taavi mentioned this in rLPRI157db65a5cdd: Add fake ARC signing keys.Jan 30 2024, 12:49 PM
Stashbot added a comment.Jan 30 2024, 1:08 PM

Mentioned in SAL (#wikimedia-cloud) [2024-01-30T13:08:31Z] <taavi> create no-op DMARC record T354112

taavi updated the task description. (Show Details)Jan 30 2024, 1:12 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 30 2024, 1:30 PM
taavi removed a subtask: T311910: Upgrade Toolforge mail server to Debian Bullseye or later.Jan 30 2024, 2:11 PM
taavi closed subtask T356171: Enable ARC support in Toolforge as Resolved.Feb 1 2024, 1:05 PM
taavi closed this task as Resolved.Feb 6 2024, 1:53 PM
taavi moved this task from In Progress to Done on the Toolforge (Toolforge iteration 04) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL