Hi all, Ever since the gerrit upgrade, emails from [email protected] have been going into my Junk folder, so I started looking at the headers and related information to see if I could find any problems.
One thing I encountered is that the current SPF record: $ host -t TXT openstack.org openstack.org descriptive text "v=spf1 include:sendgrid.net ~all" fails anything but mail sent via sendgrid. This excludes mail sent from [email protected] directly off the gerrit server, and causes SPF to softfail. Note that this SPF record does *not* impact the mailing lists, as those are on a separate domain (lists.openstack.org) which has no SPF record set whatsoever. AFAICT, there are a limited number of servers that send mail with From: addresses containing openstack.org, these include: emailsrvr.com (the MX provider for openstack.org) and review.openstack.org. jeblair mentioned on IRC that there may also be an 'openstackid-dev' email sending account, but I was unable to find any email in my personal account from that server. There are two possible solutions: 1) Remove or drastically open the SPF record. Removing the record would cause all email to resolve spf=none (like lists.o.o does currently), but prevent openstack.org from gaining any protection against malicious senders via SPF. Drastically opening the SPF record would be changing the "~all" to a "+all" which would cause all sent email to pass SPF. 2) Make the SPF record accurate: "v=spf1 include:emailsrvr.com include:sendgrid.net a:review.openstack.org ~all". For any additional services that send mail for openstack.org, an additional "a:my.host.name.openstack.org" would be added to the SPF record. Using a: syntax for the records also ensures that in the case of something like the recent gerrit migration, the SPF record would remain valid without any modification. There's obviously also a hybrid approach, where we add the known senders of mail but change "~all" to "+all". I strongly recommend we pursue option 2 -- this would mean if you know of any other devices sending mail to @openstack.org, please reply to this thread with the information so we can draft a valid SPF record. Thanks, Jay Faulkner
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
