Page MenuHomeSoftware Heritage

Email delivery issues from (phabricator, mediawikis) to GMail
Open, HighPublic


Emails from phabricator or mediawiki to addresses at that haven't been contacted before seem to not be reaching their recipients (tested by adding my own address to this phabricator account).

GMail has recently started bouncing emails for SPF failures or lack of valid DKIM signature, so that's probably what is happening to us.

Phabricator sends its emails using as envelope sender/return path, and as From field.

  • is not set up to receive (or send) emails: no SMTP server, no MX record, no SPF record. This means that we're not receiving any bounces (pretty bad), and the SPF can't validate (meh, but now becoming pretty bad too)
  • has no DKIM signing setup. It has a SPF record which only includes mailchimp (meh) and neutralizes other senders.

This combination means that phabricator mail can be rejected by stringent mail hosts, and spammed by others (no SPF, and no DKIM fallback on SPF mismatch).

We should work on the following items to improve our email deliverability:

  • review return path of all emails generated on SWH servers to make sure that it is eventually a deliverable email address.
  • improve the SPF records of (at least include the Inria and Gandi MXes as positive SPF matches)
  • consider introducing DKIM signing for emails From: outbound from our own servers (probably, by routing all outbound emails through a central mail server, instead of throwing it at the Inria SMTP server, and implementing outbound DKIM signing there.
  • when DKIM signing is implemented, provide an outbound email service to SWH staff so that their emails get DKIM-signed (*ugh*)

Event Timeline

olasd triaged this task as High priority.Mar 9 2022, 11:17 AM
olasd created this task.

Mail redirection of is also broken, at least for ardumont: P1308. It still worked on 2022-03-02.

I've tried adding gandi and inria's outbound mail servers to's SPF records.

I don't think there's any chance this will fix Gandi's redirects, as they don't use in their return-path, they pass through what they receive unchanged.

To "solve" the redirect issue would need some form of SRS implemented, so that would only send emails with a return-path it controls, but last I had checked there weren't many implementations of that around...