Page MenuHomeSoftware Heritage

Email delivery issues from (phabricator, mediawikis) to GMail
Closed, MigratedEdits Locked


Emails from phabricator or mediawiki to addresses at that haven't been contacted before seem to not be reaching their recipients (tested by adding my own address to this phabricator account).

GMail has recently started bouncing emails for SPF failures or lack of valid DKIM signature, so that's probably what is happening to us.

Phabricator sends its emails using as envelope sender/return path, and as From field.

  • is not set up to receive (or send) emails: no SMTP server, no MX record, no SPF record. This means that we're not receiving any bounces (pretty bad), and the SPF can't validate (meh, but now becoming pretty bad too)
  • has no DKIM signing setup. It has a SPF record which only includes mailchimp (meh) and neutralizes other senders.

This combination means that phabricator mail can be rejected by stringent mail hosts, and spammed by others (no SPF, and no DKIM fallback on SPF mismatch).

We should work on the following items to improve our email deliverability:

  • review return path of all emails generated on SWH servers to make sure that it is eventually a deliverable email address.
  • improve the SPF records of (at least include the Inria and Gandi MXes as positive SPF matches)
  • consider introducing DKIM signing for emails From: outbound from our own servers (probably, by routing all outbound emails through a central mail server, instead of throwing it at the Inria SMTP server, and implementing outbound DKIM signing there.
  • when DKIM signing is implemented, provide an outbound email service to SWH staff so that their emails get DKIM-signed (*ugh*)

Event Timeline

olasd triaged this task as High priority.Mar 9 2022, 11:17 AM
olasd created this task.

Mail redirection of is also broken, at least for ardumont: P1308. It still worked on 2022-03-02.

I've tried adding gandi and inria's outbound mail servers to's SPF records.

I don't think there's any chance this will fix Gandi's redirects, as they don't use in their return-path, they pass through what they receive unchanged.

To "solve" the redirect issue would need some form of SRS implemented, so that would only send emails with a return-path it controls, but last I had checked there weren't many implementations of that around...

Here is the email notifications received from bouncing email.
This email was received by Elisabetta when sending an email from to

---------- Forwarded message ---------
Da: Mail Delivery System <>
Date: ven 12 ago 2022 alle ore 11:29
Subject: Undelivered Mail Returned to Sender
To: <>

This is the mail system at host

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<>: host[] said:
    550-5.7.26 This message does not pass authentication checks (SPF and DKIM
    both 550-5.7.26 do not pass). SPF check for [] does not pass with
    ip: 550-5.7.26 [].To best protect our users from spam, the
    message 550-5.7.26 has been blocked. Please visit 550-5.7.26 for more 550
    5.7.26 information. 10-20020a056000154a00b00222c2996050si1313578wry.1010 -
    gsmtp (in reply to end of DATA command)