Ensure that wikimediafoundation.myshopify.com complies with Google's new email sender guidelines
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	bcampbell
	Jan 24 2024, 11:36 PM

Description

Google has announced new requirements for sending email to gmail accounts effective 2024-02-01. This is a tracking task to define what is required for the internal Wikimedia Foundation Shopify instance (wikimediafoundation.myshopify.com) to be compliant.

According to Shopify Support, we need to add the 4 CNAME records below to our DNS records to authenticate our domain and allow Shopify to impersonate it. We need to do the same with 4 other CNAME records for our other public Shopify instance, store.wikimedia.org (https://phabricator.wikimedia.org/T355835).

Record #1:
Type: CNAME
Host name: 2i3._domainkey
Value: dkim1.edd08f1c196d.p234.email.myshopify.com

Record #2:
Type: CNAME
Host name: 2i32._domainkey
Value: dkim2.edd08f1c196d.p234.email.myshopify.com

Record #3:
Type: CNAME
Host name: 2i33._domainkey
Value: dkim3.edd08f1c196d.p234.email.myshopify.com

Record #4:
Type: CNAME
Host name: mailer2i3
Value: edd08f1c196d.p234.email.myshopify.com

I've attached the instructions from Shopify Support for reference. I have admin access to both Shopify instances, so I can "authenticate the domain" on the Shopify admin console once the CNAME records are added.

shopify support instructions.pdf343 KBDownload

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Add DKIM & SPF records for wikimediafoundation.myshopify.com	operations/dns	master	+9 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		jhathaway	T355712 Ensure Wikimedia complies with Google's 2024 email sender guidelines
		Resolved		jhathaway	T355833 Ensure that wikimediafoundation.myshopify.com complies with Google's new email sender guidelines

Event Timeline

bcampbell created this task.Jan 24 2024, 11:36 PM

bcampbell updated the task description. (Show Details)

bcampbell mentioned this in T355835: Ensure that store.wikimedia.org complies with Google's new email sender guidelines.Jan 24 2024, 11:42 PM

bcampbell updated the task description. (Show Details)

Peachey88 added a project: DNS.Jan 25 2024, 8:41 AM

Maintenance_bot added a project: SRE.Jan 25 2024, 9:29 AM

Maintenance_bot added a project: Traffic.

@bcampbell I assume the intent is to allow shopify to dkim sign their mail with keys we advertise on our domain, i.e. CNAME 1-3. Are emails from this account already signed with these keys? I tried digging these records and they point to dkim keys from sendgrid. I assume these keys are per user, i.e. another sendgrid account does not use the same dkim keys? I'm not sure what the purpose of CNAME Record #4 is?

[Sorry, this was another task, so editing my comment]

@jhathaway I do not know what CNAME record 4 is for. I can ask Sandra to connect me with Shopify Support if we need to confirm the purpose of the record before implementing the changes.

It appears to point to an SPF record:

u13504486.wl237.sendgrid.net. 1740 IN   TXT "v=spf1 ip4:149.72.137.2 ip4:149.72.146.168

But I'm not sure how that SPF record is being used, do they want us to include the mailer2i3 subdomain in our SPF record? I think we need more docs on the intent, or we need to speak to someone.

@jhathaway I reached out to Sandra requesting that I be connected with our Shopify rep for clarification. Will update this task when I learn more.

After reading this post on reddit, I think I finally grok the intended setup, apologies for being a bit dense on this one:

2i3._domainkey.wikimedia.org: dkim key 1
2i32._domainkey.wikimedia.org: dkim key 2
2i33._domainkey.wikimedia.org: dkim key 3
mailer2i3.wikimedia.org: spf record for smtp.from email address

Email sent via shopify uses no-reply@mailer2i3.wikimedia.org as its smtp.from, spf passes based on the spf txt record found at mailer2i3.wikimedia.org. DKIM uses keys 1, 2, or 3 and the domain wikimedia.org. DKIM passes, looking up the keys via their CNAME records. DMARC passes via SPF as long as its alignment mode is set to relaxed, which allows subdomains to match. This is required for the email.from, merchandise@wikimedia.org, to align with the smtp.from, no-reply@mailer2i3.wikimedia.org. If DMARC alignment is set to strict, DMARC should still pass via DKIM auth.

@jhathaway All good, thanks for the breakdown. I also CCd you in the support interaction with Shopify and they mentioned that the 4th record was for SPF as well. Is there any further action required to complete this on my end? Last I checked, we added the 4 record associated with the public instance, but not our internal instance.

Change 994333 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/dns@master] Add DKIM & SPF records for wikimediafoundation.myshopify.com

https://gerrit.wikimedia.org/r/994333

gerritbot added a project: Patch-For-Review.Jan 30 2024, 10:25 PM

@bcampbell patch is out for review

Change 994333 merged by JHathaway:

[operations/dns@master] Add DKIM & SPF records for wikimediafoundation.myshopify.com

https://gerrit.wikimedia.org/r/994333

@bcampbell patch is merged, if you want to give it a whirl!

Thanks @jhathaway . I just clicked the button on the Shopify admin console to test DKIM and SPF, but I'll confirm here once the test is complete. It says it may take up to 24 hours.

jhathaway claimed this task.Feb 6 2024, 9:35 PM

@bcampbell I assume this is resolved, please go ahead and reopen if it is not.

@jhathaway Sorry for not closing the loop on this one. It is resolved now.

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2024, 10:31 PM

	F41714985: shopify support instructions.pdf
	Jan 24 2024, 11:36 PM

Ensure that wikimediafoundation.myshopify.com complies with Google's new email sender guidelinesClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Ensure that wikimediafoundation.myshopify.com complies with Google's new email sender guidelines
Closed, ResolvedPublic
Actions

Related Objects
Search...