I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
Please bug me with any questions/comments!
On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green jgreen@wikimedia.org wrote:
I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
You should also add an SPF record in addition to a TXT record, as recommended by RFC 4408. The format is the same.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Fri, Sep 28, 2012 at 2:04 PM, Daniel Friesen daniel@nadir-seen-fire.comwrote:
On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green jgreen@wikimedia.org wrote:
I'm planning to deploy Sender Policy Framework (SPF) for the
wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.orgmail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/**Sender_Policy_Frameworkhttp://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22ip6:2620:0:860::/46 include:_ spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
______________________________**_________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l
Good point--thanks!
jg
On Fri, 28 Sep 2012, Tyler Romeo wrote:
You should also add an SPF record in addition to a TXT record, as recommended by RFC 4408. The format is the same.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Fri, Sep 28, 2012 at 2:04 PM, Daniel Friesen daniel@nadir-seen-fire.comwrote:
On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green jgreen@wikimedia.org wrote:
I'm planning to deploy Sender Policy Framework (SPF) for the
wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.orgmail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/**Sender_Policy_Frameworkhttp://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22ip6:2620:0:860::/46 include:_ spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
______________________________**_________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, 28 Sep 2012, Daniel Friesen wrote:
On Fri, 28 Sep 2012 11:00:08 -0700, Jeff Green jgreen@wikimedia.org wrote:
I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
The distinction is essentially assert (-all) vs advise (~all). Ideally -all would result in a reject during SMTP, and ~all would be route-to-spam-folder. But I think what really happens is subjective to the receiving side.
Please bug me with any questions/comments!
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I guess this means that people will no longer be able to successfully use a @wikimedia.org address in their from: field unless they are WMF employees (or whatever) and use the Google Apps address via webmail or SMTP-AUTH? Not that I care, but all such existing users should probably be warned.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
Nemo
On Fri, 28 Sep 2012, Federico Leva (Nemo) wrote:
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I guess this means that people will no longer be able to successfully use a @wikimedia.org address in their from: field unless they are WMF employees (or whatever) and use the Google Apps address via webmail or SMTP-AUTH? Not that I care, but all such existing users should probably be warned.
This is why Andrew in Office IT sent out emails over the past couple of weeks regarding mail client setup. I don't think he's heard from anyone who for whom this is an issue, but he's on board for helping people adjust their outbound mailserver if we can find anyone who needs to.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.
Please bug me with any questions/comments!
Nemo
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Anyone who sends all mail marked as "from"[1] their @wikimedia.org address through Gmail's SMTP server, through an SMTP server hosted by Wikimedia (is there one?), or through any other server identified in the SPF record should be fine. And anyone who isn't sending "from" an @wikimedia.org address should be entirely unaffected.
If anyone is sending mail marked as "from" their @wikimedia.org address through some other SMTP server (e.g. through their home ISP), they might start to see trouble with this change and likely will when the SPF record is changed to ~all.
Also, any recipient who has their mail forwarded might have trouble *receiving* messages from @wikimedia.org addresses, unless their forwarding service takes SPF into account or their destination mailbox doesn't check SPF. OTOH, these people would have the same problem with receiving mail from all the other domains that currently implement SPF.
[1]: There are actually two concepts of "from" involved in email. The first, the "envelope sender" or "mail from", is the address that bounce notifications should be sent to. The second is the address that actually shows up as "From:" in the email message. SPF is intended to target only the former, but SenderID hijacks the SPF specification to also test the latter.
On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch b-jorsch@alum.northwestern.edu wrote:
On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Anyone who sends all mail marked as "from"[1] their @wikimedia.org address through Gmail's SMTP server, through an SMTP server hosted by Wikimedia (is there one?), or through any other server identified in the SPF record should be fine. And anyone who isn't sending "from" an @wikimedia.org address should be entirely unaffected.
If anyone is sending mail marked as "from" their @wikimedia.org address through some other SMTP server (e.g. through their home ISP), they might start to see trouble with this change and likely will when the SPF record is changed to ~all.
Also, any recipient who has their mail forwarded might have trouble *receiving* messages from @wikimedia.org addresses, unless their forwarding service takes SPF into account or their destination mailbox doesn't check SPF. OTOH, these people would have the same problem with receiving mail from all the other domains that currently implement SPF.
[1]: There are actually two concepts of "from" involved in email. The first, the "envelope sender" or "mail from", is the address that bounce notifications should be sent to. The second is the address that actually shows up as "From:" in the email message. SPF is intended to target only the former, but SenderID hijacks the SPF specification to also test the latter.
And to make things all fun and confusing. We shouldn't forget about the Sender: header...
**mumbles about AWS-SES not supporting Sender:**
On Fri, 28 Sep 2012, Daniel Friesen wrote:
On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch b-jorsch@alum.northwestern.edu wrote:
On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Anyone who sends all mail marked as "from"[1] their @wikimedia.org address through Gmail's SMTP server, through an SMTP server hosted by Wikimedia (is there one?), or through any other server identified in the SPF record should be fine. And anyone who isn't sending "from" an @wikimedia.org address should be entirely unaffected.
If anyone is sending mail marked as "from" their @wikimedia.org address through some other SMTP server (e.g. through their home ISP), they might start to see trouble with this change and likely will when the SPF record is changed to ~all.
Also, any recipient who has their mail forwarded might have trouble *receiving* messages from @wikimedia.org addresses, unless their forwarding service takes SPF into account or their destination mailbox doesn't check SPF. OTOH, these people would have the same problem with receiving mail from all the other domains that currently implement SPF.
[1]: There are actually two concepts of "from" involved in email. The first, the "envelope sender" or "mail from", is the address that bounce notifications should be sent to. The second is the address that actually shows up as "From:" in the email message. SPF is intended to target only the former, but SenderID hijacks the SPF specification to also test the latter.
And to make things all fun and confusing. We shouldn't forget about the Sender: header...
**mumbles about AWS-SES not supporting Sender:**
Yes and SenderID is where we're running into deliverability issues for fundraiser mailings since we lack SPF, that's part of what prompted this whole initiative. Well, that and an ancient RT request from Office IT!
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, 28 Sep 2012 12:47:20 -0700, Jeff Green jgreen@wikimedia.org wrote:
On Fri, 28 Sep 2012, Daniel Friesen wrote:
On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch b-jorsch@alum.northwestern.edu wrote:
On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Anyone who sends all mail marked as "from"[1] their @wikimedia.org address through Gmail's SMTP server, through an SMTP server hosted by Wikimedia (is there one?), or through any other server identified in the SPF record should be fine. And anyone who isn't sending "from" an @wikimedia.org address should be entirely unaffected. If anyone is sending mail marked as "from" their @wikimedia.org address through some other SMTP server (e.g. through their home ISP), they might start to see trouble with this change and likely will when the SPF record is changed to ~all. Also, any recipient who has their mail forwarded might have trouble *receiving* messages from @wikimedia.org addresses, unless their forwarding service takes SPF into account or their destination mailbox doesn't check SPF. OTOH, these people would have the same problem with receiving mail from all the other domains that currently implement SPF. [1]: There are actually two concepts of "from" involved in email. The first, the "envelope sender" or "mail from", is the address that bounce notifications should be sent to. The second is the address that actually shows up as "From:" in the email message. SPF is intended to target only the former, but SenderID hijacks the SPF specification to also test the latter.
And to make things all fun and confusing. We shouldn't forget about the Sender: header...
**mumbles about AWS-SES not supporting Sender:**
Yes and SenderID is where we're running into deliverability issues for fundraiser mailings since we lack SPF, that's part of what prompted this whole initiative. Well, that and an ancient RT request from Office IT!
T_T Not my complaint about From: @wikimedia.org spam on wikitech-l?
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, 28 Sep 2012, Daniel Friesen wrote:
On Fri, 28 Sep 2012 12:47:20 -0700, Jeff Green jgreen@wikimedia.org wrote:
On Fri, 28 Sep 2012, Daniel Friesen wrote:
On Fri, 28 Sep 2012 12:19:21 -0700, Brad Jorsch b-jorsch@alum.northwestern.edu wrote:
On Fri, Sep 28, 2012 at 11:00:08AM -0700, Jeff Green wrote:
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Anyone who sends all mail marked as "from"[1] their @wikimedia.org address through Gmail's SMTP server, through an SMTP server hosted by Wikimedia (is there one?), or through any other server identified in the SPF record should be fine. And anyone who isn't sending "from" an @wikimedia.org address should be entirely unaffected. If anyone is sending mail marked as "from" their @wikimedia.org address through some other SMTP server (e.g. through their home ISP), they might start to see trouble with this change and likely will when the SPF record is changed to ~all. Also, any recipient who has their mail forwarded might have trouble *receiving* messages from @wikimedia.org addresses, unless their forwarding service takes SPF into account or their destination mailbox doesn't check SPF. OTOH, these people would have the same problem with receiving mail from all the other domains that currently implement SPF. [1]: There are actually two concepts of "from" involved in email. The first, the "envelope sender" or "mail from", is the address that bounce notifications should be sent to. The second is the address that actually shows up as "From:" in the email message. SPF is intended to target only the former, but SenderID hijacks the SPF specification to also test the latter.
And to make things all fun and confusing. We shouldn't forget about the Sender: header...
**mumbles about AWS-SES not supporting Sender:**
Yes and SenderID is where we're running into deliverability issues for fundraiser mailings since we lack SPF, that's part of what prompted this whole initiative. Well, that and an ancient RT request from Office IT!
T_T Not my complaint about From: @wikimedia.org spam on wikitech-l?
That too! ;-)
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Correction . . . Wednesday 10/3! (sometimes I still think it's 2011)
jg
On Fri, 28 Sep 2012, Jeff Green wrote:
I'm planning to deploy Sender Policy Framework (SPF) for the wikimedia.org domain on Weds October 5. SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The change should not be noticeable, but the most likely problem would be legitimate @wikimedia.org mail being treated as spam. If you hear of this happening please let me know.
Technical details are below for anyone interested . . .
Thanks, jg
Jeff Green Operations Engineer, Special Projects Wikimedia Foundation 149 New Montgomery Street, 3rd Floor San Francisco, CA 94105 jgreen@wikimedia.org
. . . . . . .
SPF overview http://en.wikipedia.org/wiki/Sender_Policy_Framework
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
Please bug me with any questions/comments!
wikitech-l@lists.wikimedia.org