Page MenuHomePhabricator
Create Task
Maniphest T355784

Ensure that gerrit.wikimedia.org adheres to Google's sender guidelines
Closed, ResolvedPublic
Actions

Description

Google has announced new requirements for sending email to gmail accounts effective 2024-02-01. This is a tracking task to review what (if anything) is required for Gerrit to be compliant.

Requirements for all senders

  • Set up SPF or DKIM email authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
  • Use a TLS connection for transmitting email.
  • Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher.
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email.

Requirements for high-volume senders

I don’t have data on this atm but I would not be surprised if we’re over the 5k emails per day threshold. (answer is we get to around 4k on active days but haven't seen over 5k in the last couple weeks)

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none.
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
  • Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.

Related Objects
Search...

Event Timeline

LSobanski created this task.Jan 24 2024, 12:46 PM
jhathaway subscribed.Jan 24 2024, 10:12 PM
LSobanski updated the task description. (Show Details)Jan 25 2024, 4:49 PM
Dzahn subscribed.Jan 25 2024, 11:24 PM

confirmed SPF is "PASS with IP 208.80.154.76 " in mail header of a mail from Gerrit

Dzahn updated the task description. (Show Details)Jan 25 2024, 11:26 PM
Dzahn updated the task description. (Show Details)Jan 26 2024, 12:21 AM

gerrit submits to exim on localhost, which then routes to mx1001 (not TLS), mx1001 then sends it out advertising TLS to remote hosts:

exim4.conf:tls_advertise_hosts = *

Dzahn added a comment.Jan 26 2024, 12:34 AM

Basically everything (except one-click subscribe) for mx* is already checked on T355449 and gerrit sends via MX

Dzahn added a comment.Jan 26 2024, 12:53 AM

Regarding the question whether we hit the 5k daily threshold:

root@mx1001:/# for eximlog in $(ls /var/log/exim4/mainlog*.gz); do zcat $eximlog | head -n1 | cut -d " " -f1; zgrep gerrit@wikimedia.org $eximlog | wc -l; done
2024-01-16
3001
2024-01-15
2657
2024-01-14
773
2024-01-13
1559
2024-01-12
4025
2024-01-11
3203
2024-01-10
2815
2024-01-09
4357
2024-01-08
3869
2024-01-07
464
2024-01-06
1636
2024-01-05
3232
2024-01-04
2760
2024-01-03
2195
2024-01-02
2398
2024-01-01
760
2023-12-31
637
2023-12-30
245
2023-12-29
443
2023-12-28
712
2024-01-24
2892
2023-12-27
1058
2023-12-26
565
2023-12-25
602
2023-12-24
240
Dzahn added a comment.Jan 26 2024, 12:55 AM

re: one-click unsubscribe

There is an link in the footer. "To unsubscribe, or for help writing mail filters, visit settings."

Technically its 2 clicks though. One to get to settings and one to remove your address.

LSobanski assigned this task to Dzahn.Jan 26 2024, 12:54 PM
LSobanski triaged this task as High priority.
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
Dzahn updated the task description. (Show Details)Jan 27 2024, 12:07 AM
Dzahn added a comment.Jan 27 2024, 12:17 AM

requirements for all senders

Since we are just gerrit@wikimedia and not a subdomain this is basically all a duplicate of T355449 where boxes were checked by Jesse as well.

  • Set up SPF or DKIM.. - we have SPF
  • valid forward and reverse DNS records.. - valid
  • Use a TLS connection .. - TLS enabled though not hard enforced (T286972#8510424, real enforcement would need T203883)
  • spam rates .. - checked by Jesse for wikimedia.org overall, ok
  • RFC 5322 - we have to assume exim does the right thing
  • Don’t impersonate Gmail From: headers .. we don't
  • ARC headers - not relevant since we don't forward for others

requirements for high-volume senders

We are getting close to but are still under the 5k daily limit to be classified as that.
It's not 100% if Gerrit mails count as "subscribed mails".
Google will NOT start dropping mails on Feb 1st, it's only more likely they might end up in spam filters in the worst case.

  • DMARC ... - "we have dmarc record already, and google is find with a none policy"
  • From: header must be aligned - aligned
  • ..subscribed messages must support one-click unsubscribe.. - It's not clear if we count as subscribed messages but we assume we do, there already is a footer link to unsubscribe but it's 2 clicks instead of 1. Upstream ticket created with Gerrit to request true 1-click unsubscribe: gerrit issue 322461239
Dzahn lowered the priority of this task from High to Medium.Jan 27 2024, 12:21 AM
Dzahn closed this task as Resolved.Feb 1 2024, 5:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL