Emails from phabricator or mediawiki to addresses at gmail.com that haven't been contacted before seem to not be reaching their recipients (tested by adding my own gmail.com address to this phabricator account).
GMail has recently started bouncing emails for SPF failures or lack of valid DKIM signature, so that's probably what is happening to us.
Phabricator sends its emails using firstname.lastname@example.org as envelope sender/return path, and email@example.com as From field.
- tate.softwareheritage.org is not set up to receive (or send) emails: no SMTP server, no MX record, no SPF record. This means that we're not receiving any bounces (pretty bad), and the SPF can't validate (meh, but now becoming pretty bad too)
- softwareheritage.org has no DKIM signing setup. It has a SPF record which only includes mailchimp (meh) and neutralizes other senders.
This combination means that phabricator mail can be rejected by stringent mail hosts, and spammed by others (no SPF, and no DKIM fallback on SPF mismatch).
We should work on the following items to improve our email deliverability:
- review return path of all emails generated on SWH servers to make sure that it is eventually a deliverable email address.
- improve the SPF records of softwareheritage.org (at least include the Inria and Gandi MXes as positive SPF matches)
- consider introducing DKIM signing for emails From: firstname.lastname@example.org outbound from our own servers (probably, by routing all outbound emails through a central mail server, instead of throwing it at the Inria SMTP server, and implementing outbound DKIM signing there.
- when DKIM signing is implemented, provide an outbound email service to SWH staff so that their softwareheritage.org emails get DKIM-signed (*ugh*)