Page MenuHomeSoftware Heritage

Email delivery issues from tate.softwareheritage.org (phabricator, mediawikis) to GMail
Open, HighPublic

Description

Emails from phabricator or mediawiki to addresses at gmail.com that haven't been contacted before seem to not be reaching their recipients (tested by adding my own gmail.com address to this phabricator account).

GMail has recently started bouncing emails for SPF failures or lack of valid DKIM signature, so that's probably what is happening to us.

Phabricator sends its emails using phabricator@tate.softwareheritage.org as envelope sender/return path, and forge@softwareheritage.org as From field.

  • tate.softwareheritage.org is not set up to receive (or send) emails: no SMTP server, no MX record, no SPF record. This means that we're not receiving any bounces (pretty bad), and the SPF can't validate (meh, but now becoming pretty bad too)
  • softwareheritage.org has no DKIM signing setup. It has a SPF record which only includes mailchimp (meh) and neutralizes other senders.

This combination means that phabricator mail can be rejected by stringent mail hosts, and spammed by others (no SPF, and no DKIM fallback on SPF mismatch).

We should work on the following items to improve our email deliverability:

  • review return path of all emails generated on SWH servers to make sure that it is eventually a deliverable email address.
  • improve the SPF records of softwareheritage.org (at least include the Inria and Gandi MXes as positive SPF matches)
  • consider introducing DKIM signing for emails From: xxx@softwareheritage.org outbound from our own servers (probably, by routing all outbound emails through a central mail server, instead of throwing it at the Inria SMTP server, and implementing outbound DKIM signing there.
  • when DKIM signing is implemented, provide an outbound email service to SWH staff so that their softwareheritage.org emails get DKIM-signed (*ugh*)

Event Timeline

olasd triaged this task as High priority.Mar 9 2022, 11:17 AM
olasd created this task.

Mail redirection of @softwareheritage.org is also broken, at least for ardumont: P1308. It still worked on 2022-03-02.

I've tried adding gandi and inria's outbound mail servers to @softwareheritage.org's SPF records.

I don't think there's any chance this will fix Gandi's redirects, as they don't use @softwareheritage.org in their return-path, they pass through what they receive unchanged.

To "solve" the redirect issue would need some form of SRS implemented, so that softwareheritage.org would only send emails with a return-path it controls, but last I had checked there weren't many implementations of that around...