I still think it's a very good idea to deploy both SPF and domainkeys. SPF keeps coming up--twice this week from completely different quarters. Today the mailhouse we hired to help with the fundraiser tells me our deliverability with one major ISP is poor because we lack SPF.
We are currently stuck at the step of mapping out how we originate mail for the whitelist. Production and Google Apps mail are easy. But people say we may have volunteers, board members, etc. who do not use our known mail routes. I think OIT is in the best position to sort that out. They're the go-to for mail client setup and can survey any outliers. I spoke to Andrew about it in June and he was up for it but felt it needs to be approved and prioritized by managers.
jg
On Fri, 31 Aug 2012, Tim Starling wrote:
On 31/08/12 04:15, Daniel Friesen wrote:
This brings up the question. Why does wikimedia.org not have a SPF record?
We should be rejecting wikimedia.org emails that we know do not come from Wikimedia.
In May, Jeff Green proposed deploying it with "softfail", but it wasn't ever actually done. Nobody wanted to use a "fail" qualifier, due to the risk of legitimate mail not being delivered. So even if he had deployed it, it probably wouldn't have helped in this case.
Mailman's security weaknesses are inherent to the protocol it uses, there's no way to repair it. The scam email could have been sent with a "From" header copied from anyone who has posted to the list recently. In the unlikely event that SPF fail was used for that sender and the receiver respected it, the scammer could have just picked again. We should use a web interface for posting to groups, web interfaces can be password protected without breaking 99% of clients.
I removed board@wikimedia.org from the list of email addresses that are allowed to post to the list without being subscribed.
-- Tim Starling
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l