As of ~11:15AM EDT SPF is deployed for the domain
wikimedia.org. Please
let me know ASAP if you discover any issues with mail sent from a
@wikimedia.org address.
Thanks!
jg
Jeff Green
Operations Engineer, Special Projects
Wikimedia Foundation
149 New Montgomery Street, 3rd Floor
San Francisco, CA 94105
415-839-6885 x6807
jgreen(a)wikimedia.org
P.S. Ops folks, rollback is simply a matter of reverting the
wikimedia.org
zone file and running authdns-update. I set the TTL to 10 min just in
case.
---------- Forwarded message ----------
Date: Fri, 28 Sep 2012 11:00:08 -0700 (PDT)
From: Jeff Green <jgreen(a)wikimedia.org>
Reply-To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>
To: wmfall(a)lists.wikimedia.org, wikimedia-l(a)lists.wikimedia.org,
wikitech-l(a)lists.wikimedia.org
Subject: [Wikitech-l] SPF (email spoof prevention feature) test-rollout Weds
10/5
I'm planning to deploy Sender Policy Framework (SPF) for the
wikimedia.org
domain on Weds October 5. SPF is a framework for validating outgoing mail,
which gives the receiving side useful information for spam filtering. The main
goal is to cause spoofed @wikimedia.org mail to be correctly identified as
such. It should also improve our odds of getting fundraiser mailings into
inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be
legitimate @wikimedia.org mail being treated as spam. If you hear of this
happening please let me know.
Technical details are below for anyone interested . . .
Thanks,
jg
Jeff Green
Operations Engineer, Special Projects
Wikimedia Foundation
149 New Montgomery Street, 3rd Floor
San Francisco, CA 94105
jgreen(a)wikimedia.org
. . . . . . .
SPF overview
http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the
wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22
ip6:2620:0:860::/46
include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets,
google apps, and the fundraiser mailhouse). The "?all" is a "neutral"
policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka
SoftFail, which
tells the receiving side that only mail coming from the listed subnets is
valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
Please bug me with any questions/comments!
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l