Emails from wikimediats.zendesk.com fails DMARC policy
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	revi
	Oct 27 2024, 1:42 PM

Description

DMARC is failing because zendesk is sending email as cst@wikimedia.org but the Return-Path is support@wikimediats.zendesk.com & not DKIM signed by wikimedia.org. This violates RFC 7489 "DMARC".

FAQs from commercial vendors explains this better than I can: postmark, AWS SES. In short, Return-Path domain and From domain must match for SPF check to pass.

Now in wikimediats.zendesk.com, DMARC is failing because...

Return-Path domain is wikimediats.zendesk.com and From domain is wikimedia.org. This fails the SPF check.
Emails are DKIM signed, but not by wikimedia.org or subdomain of it; it is signed by zendesk.com. This fails the DKIM check.

Because both SPF and DKIM checks are failing, DMARC policy is failing. (Current policy as of 2024-11-07 allows email to pass DMARC either one of two (ideally both) passes.)

email.log

Return-Path: <support@wikimediats.zendesk.com>
X-Spam-known-sender: no ("Email failed DMARC policy for domain"); in-addressbook;
X-Spam-score: 0.0
X-Spam-hits: BAYES_00 -1.9, DCC_REPUT_13_19 -0.1, DMARC_NONE 0.898,
  HEADER_FROM_DIFFERENT_DOMAINS 0.17, HTML_MESSAGE 0.001,
  ME_SC_SENDERREP -100, ME_SENDERREP_ALLOW -4, RCVD_IN_DNSWL_MED -2.3,
  RCVD_IN_MSPIKE_H4 0.001, RCVD_IN_MSPIKE_WL 0.001, SHORTCIRCUIT -0.0001,
  SPF_HELO_NONE 0.001, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user,
  SA_VERSION 4.0.0
Authentication-Results: phl-mx-03.messagingengine.com;
    dkim=pass (2048-bit rsa key sha256) header.d=zendesk.com
      header.i=@zendesk.com header.b=21n0b2Pg header.a=rsa-sha256
      header.s=zendesk1;
    dmarc=fail policy.published-domain-policy=none
      policy.published-subdomain-policy=none policy.applied-disposition=none
      policy.evaluated-disposition=none policy.arc-aware-result=fail
      (p=none,sp=none,d=none,d.eval=none,arc_aware_result=fail)
      policy.policy-from=p header.from=wikimedia.org;
    iprev=pass smtp.remote-ip=192.161.149.32
      (mta-out2.pod23.use1.zdsys.com);
    spf=pass smtp.mailfrom=support@wikimediats.zendesk.com
      smtp.helo=mta-out2.pod23.use1.zdsys.com
Received-SPF: pass
    (wikimediats.zendesk.com: Sender is authorized to use 'support@wikimediats.zendesk.com' in 'mfrom' identity (mechanism 'include:mail.zendesk.com' matched))
    receiver=phl-mx-03.messagingengine.com;
    identity=mailfrom;
    envelope-from="support@wikimediats.zendesk.com";
    helo=mta-out2.pod23.use1.zdsys.com;
    client-ip=192.161.149.32
Received: from mta-out2.pod23.use1.zdsys.com (mta-out2.pod23.use1.zdsys.com [192.161.149.32])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by phl-mx-03.messagingengine.com (Postfix) with ESMTPS id CB924100009D
	for <REDACTED@REDACTED>; Sun, 27 Oct 2024 08:53:26 -0400 (EDT)
From: Wikimedia Committee Support <cst@wikimedia.org>

Authentication-Results header and X-Spam-known-sender header clearly mentions DMARC fails.

This might not be a problem right now, but it can be tricky if and when T211404: More restrictive DMARC policy for the wikimedia.org domain is resolved.

Somewhat ref: T272750: ITS request to update SPF & DNS Records for Trust & Safety.

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		jhathaway	T378285 Emails from wikimediats.zendesk.com fails DMARC policy
		Open		jhathaway	T393131 Enable inbound Zendesk SMTP Connector support

Event Timeline

revi created this task.Oct 27 2024, 1:42 PM

Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptOct 27 2024, 1:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

revi moved this task from Incoming to Radar on the User-revi board.Oct 27 2024, 1:43 PM

revi updated the task description. (Show Details)

jhathaway triaged this task as Medium priority.Oct 28 2024, 3:19 PM

Thanks @revi, perhaps the From: header has changed since T272750, @Nahid any idea who on Trust & Safety manages this zendesk instance?

That would be @JAbrams. Let me also raise this in our team meeting tomorrow.

In T378285#10268269, @jhathaway wrote:

Thanks @revi, perhaps the From: header has changed since T272750,

Digging through my inbox, last time I got an email was 2023-12-27 (UTC), when some spammer used $private-list-I-moderate+owner@lists.wm.o email to file a ticket @ T&S zendesk.

At that time, ticket response used From: Support <privacy@wikimediats.zendesk.com>, so it was fine.

Before that trolling submission, my latest is 2022-04-30 (UTC) to emergency@, which will be too outdated as an example, but this one using From: (name redacted) <emergency@wikimedia.org> fails the DMARC. (If T&S want to dig the logs in zendesk agent view, #40298)

email.log

Authentication-Results: mx5.messagingengine.com;
    dkim=pass (2048-bit rsa key sha256) header.d=zendesk.com
      header.i=@zendesk.com header.b=s4GGrNjI header.a=rsa-sha256
      header.s=zendesk1 x-bits=2048;
    dmarc=fail policy.published-domain-policy=none
      policy.published-subdomain-policy=none policy.applied-disposition=none
      policy.evaluated-disposition=none policy.arc-aware-result=fail
      (p=none,sp=none,d=none,d.eval=none,arc_aware_result=fail)
      policy.policy-from=p header.from=wikimedia.org;
    iprev=pass smtp.remote-ip=192.161.149.34
      (outbyoip4.pod23.use1.zdsys.com);
    spf=pass smtp.mailfrom=support@wikimediats.zendesk.com
      smtp.helo=outbyoip4.pod23.use1.zdsys.com

So I assume this is still happening to responses to emergency@ (and probably ca@? I was inactive since 2023 and had no reason to deal with T&S as I resigned as Steward at that year) emails.

PS: digging my inbox further, my (genuine) past email to privacy@ (#33528) are answered by From: Support <legal@wikimediats.zendesk.com> so they are most likely fine.

Anyway I think possible solutions would be…

Route outgoing wikimedia.org mails through either Wikimedia infra (ie. the stuff you use to send qualtrics emails — see ref below) or Google Workspace (both of which are already SPF-conforming and will most likely sign mails with correct wikimedia.org DKIM key)
Modify Zendesk settings (or demand Zendesk) to use wikimedia.org or subdomain as Return-Path (IIRC DMARC at the default settings will allow subdomains.)
Modify Zendesk settings (or demand Zendesk) to DKIM-sign emails from wikimedia.org or subdomains. (Again, IIRC, DMARC at the default settings will allow DKIM-signatures to pass. And if DKIM from wikimedia.org passes, SPF failures become irrelevant because DMARC just requires one of DKIM or SPF to pass.)

Kind of ref again: T164424: Allow Qualtrics to send @wikimedia.org emails using an SPF record or an SMTP relay and T314815: Update DNS record to allow us to send emails from @wikimedia.org on Qualtrics

One of three will (I think) solve the DMARC failure, but that is up to T&S (and possibly Zendesk).

EDIT 2024-11-01:

And option 4: add zendesk to SPF, but I personally don't think this is a viable option?

email.log

Authentication-Results: phl-mx-08.messagingengine.com;
    dkim=pass (2048-bit rsa key sha256) header.d=zendesk.com
      header.i=@zendesk.com header.b=UxV0QRkn header.a=rsa-sha256
      header.s=zendesk1;
    dmarc=pass policy.published-domain-policy=quarantine
      policy.applied-disposition=none policy.evaluated-disposition=none
      (p=quarantine,d=none,d.eval=none) policy.policy-from=p
      header.from=sourcegraph.com;
    iprev=pass smtp.remote-ip=192.161.151.13
      (mta-out13.pod13.usw2.zdsys.com);
    spf=pass smtp.mailfrom=support@sourcegraph.com
      smtp.helo=mta-out13.pod13.usw2.zdsys.com
Received-SPF: pass
    (sourcegraph.com: Sender is authorized to use 'support@sourcegraph.com' in 'mfrom' identity (mechanism 'include:mail.zendesk.com' matched))
    receiver=phl-mx-08.messagingengine.com;
    identity=mailfrom;
    envelope-from="support@sourcegraph.com";
    helo=mta-out13.pod13.usw2.zdsys.com;
    client-ip=192.161.151.13
Received: from mta-out13.pod13.usw2.zdsys.com (mta-out13.pod13.usw2.zdsys.com [192.161.151.13])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by phl-mx-08.messagingengine.com (Postfix) with ESMTPS id AB44B128008F
	for <RED@CTED>; Thu, 31 Oct 2024 17:16:31 -0400 (EDT)
Received: from zendesk.com (unknown [127.0.0.6])
	by mta-out15.pod13.usw2.zdsys.com (Zendesk) with ESMTP
	id 61766714-4002-4e82-b828-8e990b61087e
	for <RED@CTED>;
	Thu, 31 Oct 2024 21:16:29 +0000 (UTC)
Date: Thu, 31 Oct 2024 21:16:29 +0000
From: Sourcegraph <support@sourcegraph.com>

Thanks for mentioning option (1), I was involved with re-setting that up for Qualtrics in T314815, and we could do something similar for zendesk, if they support it on their end.

Heh! Didn't notice that — I was just reading the subject and descriptions (lol).

Anyway: At least option 3 is possible. support.zendesk

Option 1 seems… to have conflicting info: they say "no SMTP relay" but they have an EAP program which practically seems to be the… SMTP relay. I think it's up to you to figure out which is true (and what path to go).

revi renamed this task from Emails from wikimediats.zendesk.com fails DMARC test to Emails from wikimediats.zendesk.com fails DMARC policy.Nov 4 2024, 11:05 PM

revi updated the task description. (Show Details)Nov 7 2024, 6:26 AM

Updated description to state DKIM failures, too.

"From is not in the signing domain", because, as stated by the DKIM Verifier, "Signed by zendesk.com".

firefox_BYToJPnbHJ.png (382×650 px, 27 KB)

header.eml

X-Note-by-revi: My email is not really sensitive but reducing spam exposure. Also Fastmail's spam score is always 0 or above.
Return-Path: <support@wikimediats.zendesk.com>
Received: from phl-compute-11.internal (phl-compute-11.phl.internal [10.202.2.51])
	 by slotpi09n12 (Cyrus 3.11.0-alpha0-1067-ga93252216-fm-20241023.001-ga9325221) with LMTPA;
	 Thu, 07 Nov 2024 01:01:07 -0500
X-Cyrus-Session-Id: slotpi09n12-1730959267-288937-2-16663712488169810912
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no ("Email failed DMARC policy for domain"); in-addressbook;
X-Spam-sender-reputation: 1000 (domain; noauth)
X-Spam-score: 0.0
X-Spam-hits: BAYES_50 0.8, DMARC_NONE 0.898, HEADER_FROM_DIFFERENT_DOMAINS 0.249,
  HTML_FONT_LOW_CONTRAST 0.001, HTML_MESSAGE 0.001, ME_SC_SENDERREP -100,
  ME_SENDERREP_ALLOW -4, RCVD_IN_DNSWL_MED -2.3, SHORTCIRCUIT -0.0001,
  SPF_HELO_NONE 0.001, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user,
  SA_VERSION 4.0.0
X-Spam-source: IP='192.161.149.44', Host='mta-out14.pod23.use1.zdsys.com', Country='US',
  FromHeader='org', MailFrom='com'
X-Spam-charsets: plain='utf-8', html='utf-8'
X-Resolved-to: RED@CTED
X-Delivered-to: RED@CTED
X-Mail-from: support@wikimediats.zendesk.com
Received: from phl-mx-05 ([10.202.2.204])
  by phl-compute-11.internal (LMTPProxy); Thu, 07 Nov 2024 01:01:07 -0500
Received: from phl-mx-05.messagingengine.com (localhost [127.0.0.1])
	by mailmx.phl.internal (Postfix) with ESMTP id 1C2AF2CC00BB
	for <RED@CTED>; Thu,  7 Nov 2024 01:01:07 -0500 (EST)
Received: from mailmx.phl.internal (localhost [127.0.0.1])
    by phl-mx-05.messagingengine.com (Authentication Milter) with ESMTP
    id 3061E6D8FE5.A03DD2CC00B1;
    Thu, 7 Nov 2024 01:01:07 -0500
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=
    1730959267; b=mZt9cDzDzOiV3QshQ4py0bPfHs+DBHIWPB8+qeENyFnUETtVzB
    yFIqdC2u+0sjHFJxPUoLPEKUf9NbH4tpjiVS0J40A5oPJs3K9iDEVoxsCh6vd///
    5Q09KTXWPxLgDsLHlvFQ9E6tr7ILOaI5RHG1Ht/mttEFQl2GAymfW+CP7mxVPAZm
    vyXMaCZR66oj8OHoCxwV30jGGqYs3pzo66gbicree4oRjm6tOEa9Jiycv6rGfGPx
    efYj5WIqdYK9wwxy/EQzSobiPabz9vOwtjfH82pKGAok7vAOVVL9k572OGWJWRrl
    57JO/JCvoXiHgJ2f7iQXVWhve/4TgyVqS6Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=date:from:reply-to:to:message-id
    :in-reply-to:references:subject:mime-version:content-type
    :content-transfer-encoding; s=fm3; t=1730959267; bh=dgjyCQZlsSEP
    KVrCRioTmiV2awP7jKwWxgM6ZLYr+xs=; b=VZybnoD1Z/uzAgqviINbPwVNYUYf
    ccxVBlP0u9blqH8AWjPBIO4pZGT5vDSS0RD6anXM8eQRCdmjNsb+GivXCR+EVw9Q
    jyV49CvL7R/LXr52f/gSOnFlaRr/UZX+m4tQa9Kp5dvU9n/62RahClug729ooQqG
    Qi0iM4/OhulEF6sMCwSvjJDXv0T3+NdjCAhlwEUSkenlFRe4KBMjMQICsM9vGQRX
    +jf/lxQrMAYK22BlcYpTg9RW+bU18iSHXrzbzg0/eeT1loS3K5nM3hEUoQu5CF7O
    DEnOpLxtDyAAMMQK6kpFc98gIrbN4/rrn313tOnOKdtFzXDme5+8SQVEhg==
ARC-Authentication-Results: i=1; phl-mx-05.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=mta-out14.pod23.use1.zdsys.com
    policy.ptr=mta-out14.pod23.use1.zdsys.com;
    bimi=skipped (DMARC did not pass);
    arc=none (no signatures found);
    dkim=pass (2048-bit rsa key sha256) header.d=zendesk.com
    header.i=@zendesk.com header.b=Jm6TJukb header.a=rsa-sha256
    header.s=zendesk1;
    dmarc=fail policy.published-domain-policy=none
    policy.published-subdomain-policy=none policy.applied-disposition=none
    policy.evaluated-disposition=none policy.arc-aware-result=fail
    (p=none,sp=none,d=none,d.eval=none,arc_aware_result=fail)
    policy.policy-from=p header.from=wikimedia.org;
    iprev=pass smtp.remote-ip=192.161.149.44
    (mta-out14.pod23.use1.zdsys.com);
    spf=pass smtp.mailfrom=support@wikimediats.zendesk.com
    smtp.helo=mta-out14.pod23.use1.zdsys.com
X-ME-Authentication-Results: phl-mx-05.messagingengine.com;
    x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
      smtp.bits=256/256;
    x-vs=clean score=0 state=0
Authentication-Results: phl-mx-05.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=mta-out14.pod23.use1.zdsys.com
      policy.ptr=mta-out14.pod23.use1.zdsys.com
Authentication-Results: phl-mx-05.messagingengine.com;
    bimi=skipped (DMARC did not pass)
Authentication-Results: phl-mx-05.messagingengine.com;
    arc=none (no signatures found)
Authentication-Results: phl-mx-05.messagingengine.com;
    dkim=pass (2048-bit rsa key sha256) header.d=zendesk.com
      header.i=@zendesk.com header.b=Jm6TJukb header.a=rsa-sha256
      header.s=zendesk1;
    dmarc=fail policy.published-domain-policy=none
      policy.published-subdomain-policy=none policy.applied-disposition=none
      policy.evaluated-disposition=none policy.arc-aware-result=fail
      (p=none,sp=none,d=none,d.eval=none,arc_aware_result=fail)
      policy.policy-from=p header.from=wikimedia.org;
    iprev=pass smtp.remote-ip=192.161.149.44
      (mta-out14.pod23.use1.zdsys.com);
    spf=pass smtp.mailfrom=support@wikimediats.zendesk.com
      smtp.helo=mta-out14.pod23.use1.zdsys.com
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeefuddrtdefgdeludcutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
    tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhrhfvkf
    gjfhfugggtgffosegrjeerreertdejnecuhfhrohhmpeghihhkihhmvgguihgrucfvrhhu
    shhtucdjucfurghfvghthicuoegtrgesfihikhhimhgvughirgdrohhrgheqnecuggftrf
    grthhtvghrnhepieetteffkedtheetveduleeffeduffethffguefhhedvheetleffhfdu
    tdelheehnecuffhomhgrihhnpeiivghnuggvshhkrdgtohhmnecukfhppeduledvrdduie
    durddugeelrdeggeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvght
    peduledvrdduiedurddugeelrdeggedphhgvlhhopehmthgrqdhouhhtudegrdhpohguvd
    efrdhushgvuddriigushihshdrtghomhdpmhgrihhlfhhrohhmpeeoshhuphhpohhrthes
    fihikhhimhgvughirghtshdriigvnhguvghskhdrtghomheqpdhnsggprhgtphhtthhope
    dupdhrtghpthhtohepoehrvghvihesrhgvvhhirdifihhkiheq
X-ME-VSScore: 0
X-ME-VSCategory: clean
X-ME-CSA: none
X-ME-Received: <xmx:olcsZ-HeX7VixBCHBwGdv2xRMWcTNh-oY5xg90ciP1oMStLnjWp-zg>
Received-SPF: pass
    (wikimediats.zendesk.com: Sender is authorized to use 'support@wikimediats.zendesk.com' in 'mfrom' identity (mechanism 'include:mail.zendesk.com' matched))
    receiver=phl-mx-05.messagingengine.com;
    identity=mailfrom;
    envelope-from="support@wikimediats.zendesk.com";
    helo=mta-out14.pod23.use1.zdsys.com;
    client-ip=192.161.149.44
Received: from mta-out14.pod23.use1.zdsys.com (mta-out14.pod23.use1.zdsys.com [192.161.149.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by phl-mx-05.messagingengine.com (Postfix) with ESMTPS id A03DD2CC00B1
	for <RED@CTED>; Thu,  7 Nov 2024 01:01:06 -0500 (EST)
Received: from zendesk.com (unknown [127.0.0.6])
	by mta-out15.pod23.use1.zdsys.com (Zendesk) with ESMTP
	id 17be6207-4b7a-484f-863b-2659d285f8d6
	for <RED@CTED>;
	Thu, 07 Nov 2024 06:01:05 +0000 (UTC)
Date: Thu, 07 Nov 2024 06:01:05 +0000
From: Wikimedia Trust & Safety <ca@wikimedia.org>
Reply-To: Wikimedia Trust & Safety <ca@wikimedia.org>
To: revi <RED@CTED>
Message-ID: <RED@CTED>
In-Reply-To: <RED@CTED>
References: <RED@CTED>
 <RED@CTED>
 <RED@CTED>
 <RED@CTED>
Subject: Feedback Request #91080: Please evaluate your recent experience with
 the Trust & Safety team at the Wikimedia Foundation - Your input matters!
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_672c57a136248_47396c1038d9";
 charset=utf-8
Content-Transfer-Encoding: 7bit
X-Delivery-Context: event-id-RED@CTED
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: RED@CTED
X-Zendesk-Email-Id: RED@CTED
DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com;
 q=dns/txt; s=zendesk1; t=1730959265;
 bh=dgjyCQZlsSEPKVrCRioTmiV2awP7jKwWxgM6ZLYr+xs=;
 h=date:from:reply-to:to:message-id:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding;
 b=Jm6TJukbQiVx80L9moAbrdOFuLSs1g/tLLtLvLt7wWbejb9rVJ2GtJha5HKrXSS4WLcQaY0zpIxMpisU60LaZ+/filf5yatWPwcUCliB/V6wJjV4o3Ym+USXTvVjmJN3+o2OdqRqaHPEBg3a+N15GVF2QUg5YM5nW6U3PZtWWDbrVp3xnLiPSWXw/Ra153dEPpZf5IYDQYl38hStC4S/IS7jR5uqcKALajm9x6DnrDGWka6DmhuuqQBbwUQAafKcCKLNaGNFCQkMnzoeFYiduItfTqpYs1TsjwqbDM+JtbP4iRU4vBFPorBTPIEXHymPY9rZqj8znAoVGvgyrAlhRA==

Hi everyone, thank you for raising this issue. We have multiple addresses in our Zendesk instances using the subdomain wikimediats.zendesk.com. Working on this matter and will reach out to SRE to discuss further. I’ll keep you updated here.

Just to be clear, using wikimediats.zendesk.com isn't a problem by itself; using wikimedia.org in From: header without proper/inadequate authorization (according to internet standards around anti-spam control) is the problem.

For example, when I send email to legal@wm.o (ie. recent ticket #91302) and/or privacy@wm.o, zendesk responds from legal@wikimediats.zendesk and privacy@wikimediats.zendesk, respectively, and does not suffer from this problem. However ca@ (recent ticket #91080), emergency@, and cst@ (recent ticket #91177) responds from wikimedia.org and that's when this is triggered.

@revi Many thanks for the additional insights, noted! Meeting with SRE today, I’ll keep you posted.

In T378285#10270193, @revi wrote:

Option 1 seems… to have conflicting info: they say "no SMTP relay" but they have an EAP program which practically seems to be the… SMTP relay. I think it's up to you to figure out which is true (and what path to go).

Looks like they surrendered to the demand and added SMTP relay support.

In T378285#10351000, @revi wrote:

In T378285#10270193, @revi wrote:

Option 1 seems… to have conflicting info: they say "no SMTP relay" but they have an EAP program which practically seems to be the… SMTP relay. I think it's up to you to figure out which is true (and what path to go).

Looks like they surrendered to the demand and added SMTP relay support.

Looks promising indeed!

@JAbrams and I met yesterday to test using Zendesk's authenticated SMTP connector. We were unable to test the full flow, but we were able to get Zendesk to relay outbound emails through our servers. Our current plan is to provision a new test address and resume testing in January, after the winter break. During our testing we realized there are two distinct options for relaying:

For the first option inbound email's are still forwarded from gmail to a Zendesk email address, which is also the current methodology. With the second option we would configure our Postfix servers to relay
messages directly to Zendesk's server, rather than forward the messages. This option would require some config additions on the Postfix side to add support for sender_dependent_relayhost_maps.

I guess relaying outbound only with WMF infra now and experimenting with inbound+outbound later would be better way (keeping status quo while making DMARC pass)…

But given usual WMF holiday season, and given the fact that this has been lingering for years without much deliverability issue, indeed this can wait for few more weeks.

Hi @revi

I met @jhathaway yesterday, and we tested the SMTP connector for outbound email only within the testing environment of Zendesk. As part of this test, could you send an email to *testingwikimediats@wikimedia.org*? I’ll reply to it, and then we can check whether the DMARC policy has passed.

I’ll also run the test using my personal testing email, but if you could check on your end as well and let me know if it has passed, that would be great.

Thanks in advance!
Janina

You should have received an email, from domain revi.wiki, Subject: Testing testing one two three one two three.

And the result seems fine!

Authentication-Results: phl-mx-03.messagingengine.com;
    dkim=pass (1024-bit rsa key sha256) header.d=wikimedia.org
      header.i=@wikimedia.org header.b=BPMbClz4 header.a=rsa-sha256
      header.s=wikimedia;
    dmarc=pass policy.published-domain-policy=none
      policy.published-subdomain-policy=none policy.applied-disposition=none
      policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
      policy.policy-from=p header.from=wikimedia.org;
    iprev=pass smtp.remote-ip=208.80.154.5 (mx-out1001.wikimedia.org);
    spf=pass smtp.mailfrom=testingwikimediats@wikimedia.org
      smtp.helo=mx-out1001.wikimedia.org
Received-SPF: pass
    (wikimedia.org: Sender is authorized to use 'testingwikimediats@wikimedia.org' in 'mfrom' identity (mechanism 'include:_cidrs.wikimedia.org' matched))
    receiver=phl-mx-03.messagingengine.com;
    identity=mailfrom;
    envelope-from="testingwikimediats@wikimedia.org";
    helo=mx-out1001.wikimedia.org;
    client-ip=208.80.154.5
Received: from mx-out1001.wikimedia.org (mx-out1001.wikimedia.org [208.80.154.5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by phl-mx-03.messagingengine.com (Postfix) with ESMTPS id 73D6710001AB
	for <@revi.wiki>; Thu,  6 Mar 2025 07:50:50 -0500 (EST)

Authentication-Results header reports dkim: pass, dmarc: pass, and spf:pass.

jhathaway claimed this task.Jul 1 2025, 6:17 PM

Hi all,
The SMTP connector has been successfully configured for all support addresses in Zendesk. Thanks to @jhathaway , the implementation went smoothly, and the DMARC policy is now passing for all addresses.
I believe this task can now be marked as complete.
Please let me know if you need any further information.
Many thanks!

Yeah, looks good to me (see line 1, 100~109). I am going bold and closing this as resolved.

P84829 log.eml

1	Return-Path: <privacy@wikimedia.org>
2	Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51])
3	by slotpi06m47 (Cyrus 3.13.0-alpha0-1341-g6c10bd1c5-fm-20251013.001-g6c10bd1c) with LMTPA;
4	Thu, 23 Oct 2025 07:14:46 -0400
5	X-Cyrus-Session-Id: slotpi06m47-1761218086-3454781-2-7896850539472315897
6	X-Sieve: CMU Sieve 3.0
7	X-Spam-known-sender: yes ("Address privacy@wikimedia.org in From header is in addressbook");
8	in-addressbook;
9	X-Spam-sender-reputation: 1000 (domain)
10	X-Spam-score: 0.0
11	X-Spam-hits: ALL_TRUSTED -1, BAYES_00 -1.9, HTML_FONT_LOW_CONTRAST 0.001,
12	HTML_MESSAGE 0.001, ME_SC_SENDERREP -100, ME_SENDERREP_ALLOW -4,
13	SHORTCIRCUIT -0.0001, SPF_HELO_NONE 0.001, SPF_PASS -0.001, LANGUAGES en,
14	BAYES_USED user, SA_VERSION 4.0.1
15	X-Spam-source: IP='208.80.154.5', Host='unk', Country='US', FromHeader='org',
16	MailFrom='org'
17	X-Spam-charsets: plain='utf-8', html='utf-8'
18	X-Resolved-to: REDACTED
19	X-Delivered-to: REDACTED
20	X-Mail-from: privacy@wikimedia.org
21	Received: from phl-mx-04 ([10.202.2.203])
22	by phl-compute-11.internal (LMTPProxy); Thu, 23 Oct 2025 07:14:46 -0400
23	Received: from phl-mx-04.messagingengine.com (localhost [127.0.0.1])
24	by mailmx.phl.internal (Postfix) with ESMTP id 5AFAF13800EC
25	for <REDACTED>; Thu, 23 Oct 2025 07:14:46 -0400 (EDT)
26	Received: from mailmx.phl.internal (localhost [127.0.0.1])
27	by phl-mx-04.messagingengine.com (Authentication Milter) with ESMTP
28	id EA5E151E7EF.1775A13800FC;
29	Thu, 23 Oct 2025 07:14:46 -0400
30	ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
31	1761218086; b=LaWWUAm30b/Mx0bw1hBdgQTuzsv2fTWkAu9Dj8gS260XcO1i0f
32	XQ2R9K3jaGmN23wyXp+aH8IpHVGPxtc59hgU79S2RQP2XTO5zzdTdO7AXr29Q09Y
33	8tTbZEXTweQEZU8y06o6zpMTP3vgO6W87QdlFryyZLQlo8g4zjpiL9OMn0miyTVR
34	Wy0o4E97XOpuKNQNsiInUuaURzp5r/Bggf+8UBo+ebUmbUbC6umsH3Kys6fNWiWU
35	w3Eoou2OLafL9lnZfvvyMlNFpg8MFuRg2b9TN8lr8+leFvdTOKGAd2LwFzWafjV+
36	xbRXNhG7kqCSQs3+NoUwCF4tUcxYgAngP5FA==
37	ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
38	messagingengine.com; h=date:from:reply-to:to:message-id
39	:in-reply-to:references:subject:mime-version:content-type
40	:content-transfer-encoding; s=fm2; t=1761218086; bh=zjhrnwJ70pqe
41	lP9hZAv9juB6W68DRfY69G6ir+KQlik=; b=ahfmqqKg09gKGJeyMVWOxIdjNh82
42	1RnGDPjgQmssr7dkAC8h2qoV/NKVkcioyBMpMfj5rQwBoKA7BhxG07fB+gmiqG+Y
43	8lwtLR+ekcVYw9BPscU6tB82Zp3qvAwALaMgcCmjmblT+sp0l5m5CGzbsVuT6Mqj
44	qxFjyogUAnODSEOoT/qqm9j2rOz7Ra3rNhjXU2FY2GTQ91Y21aGLdMkPqbSEuj8v
45	DsfgEK4OkYOTrgaNhXgR5GiZaAC9v8fD3dFm6Kn8s6hb2PuKyxuFxdOS9jltw6kS
46	mrjG95Xp+SzztO5NjpDMuarCkLIeA4P/Q+YwSsERfprf/VuQCHByj4CcHA==
47	ARC-Authentication-Results: i=1; phl-mx-04.messagingengine.com;
48	x-csa=none;
49	x-me-sender=none;
50	x-ptr=pass smtp.helo=mx-out1001.wikimedia.org
51	policy.ptr=mx-out1001.wikimedia.org;
52	bimi=skipped (DMARC Policy is not at enforcement);
53	arc=none (no signatures found);
54	dkim=pass (1024-bit rsa key sha256) header.d=wikimedia.org
55	header.i=@wikimedia.org header.b=SpvuuEcL header.a=rsa-sha256
56	header.s=wikimedia;
57	dmarc=pass policy.published-domain-policy=none
58	policy.published-subdomain-policy=none policy.applied-disposition=none
59	policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
60	policy.policy-from=p header.from=wikimedia.org;
61	iprev=pass smtp.remote-ip=208.80.154.5 (mx-out1001.wikimedia.org);
62	spf=pass smtp.mailfrom=privacy@wikimedia.org
63	smtp.helo=mx-out1001.wikimedia.org
64	X-ME-Authentication-Results: phl-mx-04.messagingengine.com;
65	x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
66	smtp.bits=256/256;
67	x-vs=clean score=0 state=0
68	Authentication-Results: phl-mx-04.messagingengine.com;
69	x-csa=none;
70	x-me-sender=none;
71	x-ptr=pass smtp.helo=mx-out1001.wikimedia.org
72	policy.ptr=mx-out1001.wikimedia.org
73	Authentication-Results: phl-mx-04.messagingengine.com;
74	bimi=skipped (DMARC Policy is not at enforcement)
75	Authentication-Results: phl-mx-04.messagingengine.com;
76	arc=none (no signatures found)
77	Authentication-Results: phl-mx-04.messagingengine.com;
78	dkim=pass (1024-bit rsa key sha256) header.d=wikimedia.org
79	header.i=@wikimedia.org header.b=SpvuuEcL header.a=rsa-sha256
80	header.s=wikimedia;
81	dmarc=pass policy.published-domain-policy=none
82	policy.published-subdomain-policy=none policy.applied-disposition=none
83	policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
84	policy.policy-from=p header.from=wikimedia.org;
85	iprev=pass smtp.remote-ip=208.80.154.5 (mx-out1001.wikimedia.org);
86	spf=pass smtp.mailfrom=privacy@wikimedia.org
87	smtp.helo=mx-out1001.wikimedia.org
88	X-ME-VSScore: 0
89	X-ME-VSCategory: clean
90	X-ME-CSA: none
91	X-ME-Received: <xmx:Jg76aMp751RKQWn60-497vZhdsUS9rirrCHUBPEOoFg7sNyx9fhH6Q>
92	X-ME-Received: <xmx:Jg76aK5N1Eou1XGSaPjOabdvTQpVFpFsBOIzYCKlIXEjnfbvREj1Nw>
93	Received-SPF: pass
94	(wikimedia.org: Sender is authorized to use 'privacy@wikimedia.org' in 'mfrom' identity (mechanism 'include:_cidrs.wikimedia.org' matched))
95	receiver=phl-mx-04.messagingengine.com;
96	identity=mailfrom;
97	envelope-from="privacy@wikimedia.org";
98	helo=mx-out1001.wikimedia.org;
99	client-ip=208.80.154.5
100	Received: from mx-out1001.wikimedia.org (mx-out1001.wikimedia.org [208.80.154.5])
101	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
102	key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
103	(No client certificate requested)
104	by phl-mx-04.messagingengine.com (Postfix) with ESMTPS id 1775A13800FC
105	for <REDACTED>; Thu, 23 Oct 2025 07:14:46 -0400 (EDT)
106	Received: from mta-out10.pod23.use1.zdsys.com (mta-out10.pod23.use1.zdsys.com [192.161.149.40])
107	(Authenticated sender: privacy@wikimedia.org)
108	by mx-out1001.wikimedia.org (Postfix) with ESMTPSA id 9CEC6286B11
109	for <REDACTED>; Thu, 23 Oct 2025 11:14:44 +0000 (UTC)
110	DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wikimedia.org;
111	s=wikimedia; t=1761218084;
112	h=from:from:reply-to:reply-to:subject:subject:date:date:
113	message-id:message-id:to:to:cc:mime-version:mime-version:
114	content-type:content-type:
115	content-transfer-encoding:content-transfer-encoding:
116	in-reply-to:in-reply-to:references:references;
117	bh=zjhrnwJ70pqelP9hZAv9juB6W68DRfY69G6ir+KQlik=;
118	b=SpvuuEcL986fDFy5c7tiEVVxS2eePseCWQhUuI2Dqe7EpVNdAMNXMJDAAEqXX7FT2z3Fez
119	rtIWzaNpyRL+LFLHD/j2rEy+PuOEPlpXgPlU58VopzJrjU1lE/eOa4PxsxHggfs5h4kDF+
120	YsFfEpUk07r3lMKVD4VBBeQp/kdTqIg=
121	Received: from zendesk.com (unknown [127.0.0.6])
122	by mta-out15.pod23.use1.zdsys.com (Zendesk) with ESMTP
123	id d3694881-1e4f-4507-bf20-9ca0bf97e37d
124	for <REDACTED>;
125	Thu, 23 Oct 2025 11:14:44 +0000 (UTC)
126	Date: Thu, 23 Oct 2025 11:14:44 +0000
127	From: Wikimedia Privacy <privacy@wikimedia.org>
128	Reply-To: Wikimedia Privacy <privacy@wikimedia.org>
129	To: revi <REDACTED>
130	Message-ID: <Z001V3P1R9K_68fa0e2417616_ff33d5ca2877a2_sprut@zendesk.com>
131	In-Reply-To: <REDACTED>
132	References: <Z001V3P1R9K@zendesk.com>
133	<REDACTED>
134	Subject: REDACTED
135	Mime-Version: 1.0
136	Content-Type: multipart/alternative;
137	boundary="--==_mimepart_68fa0e2425f1f_ab15b0897bb";
138	charset=utf-8
139	Content-Transfer-Encoding: 7bit
140	X-Delivery-Context: event-id-35827307613847
141	Auto-Submitted: auto-generated
142	X-Auto-Response-Suppress: All
143	X-Mailer: Zendesk Mailer
144	X-Zendesk-From-Account-Id: b78b0ec
145	X-Zendesk-Email-Id: 01K88CEF1A781FBR68H2KB3HQ6

Emails from wikimediats.zendesk.com fails DMARC policyClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Emails from wikimediats.zendesk.com fails DMARC policy
Closed, ResolvedPublic
Actions

Related Objects
Search...