As of ~11:15AM EDT SPF is deployed for the domain wikimedia.org. Please let me know ASAP if you discover any issues with mail sent from a @wikimedia.org address.
Thanks! jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 415-839-6885 x6807 jgreen@wikimedia.org
P.S. Ops folks, rollback is simply a matter of reverting the wikimedia.org zone file and running authdns-update. I set the TTL to 10 min just in case.
---------- Forwarded message ---------- Date: Fri, 28 Sep 2012 11:00:08 -0700 (PDT) From: Jeff Green jgreen@wikimedia.org Reply-To: Wikimedia developers wikitech-l@lists.wikimedia.org To: wmfall@lists.wikimedia.org, wikimedia-l@lists.wikimedia.org, wikitech-l@lists.wikimedia.org Subject: [Wikitech-l] SPF (email spoof prevention feature) test-rollout Weds 10/5
I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
Please bug me with any questions/comments!
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2012/10/3 Jeff Green jgreen@wikimedia.org:
As of ~11:15AM EDT SPF is deployed for the domain wikimedia.org. Please let me know ASAP if you discover any issues with mail sent from a @wikimedia.org address.
Is allowing ALL IP's in all WMF ranges really needed by anyone?
It would be much better if there will be only finite number of designated SMTP servers and all other machines should send mail via those servers, not directly into public internet.
AJF/WarX
On Wed, Oct 3, 2012 at 4:08 PM, Artur Fijałkowski wiki.warx@gmail.com wrote:
2012/10/3 Jeff Green jgreen@wikimedia.org:
As of ~11:15AM EDT SPF is deployed for the domain wikimedia.org. Please let me know ASAP if you discover any issues with mail sent from a @wikimedia.org address.
Is allowing ALL IP's in all WMF ranges really needed by anyone?
It would be much better if there will be only finite number of designated SMTP servers and all other machines should send mail via those servers, not directly into public internet.
It's closer to the status quo (and I've not heard people complain about spam from our blocks but maybe I just don't know) and therefore less work to make it happen. Being perfect can be deferred to a later date.
-Jeremy
wikitech-l@lists.wikimedia.org