Hi all,
Ever since the gerrit upgrade, emails from rev...@openstack.org have
been going into my Junk folder, so I started looking at the headers and
related information to see if I could find any problems.
One thing I encountered is that the current SPF record:
$ host -t TXT openstack.org
openstack.org descriptive text "v=spf1 include:sendgrid.net ~all"
fails anything but mail sent via sendgrid. This excludes mail sent from
rev...@openstack.org directly off the gerrit server, and causes SPF to
softfail. Note that this SPF record does *not* impact the mailing lists,
as those are on a separate domain (lists.openstack.org) which has no SPF
record set whatsoever.
AFAICT, there are a limited number of servers that send mail with From:
addresses containing openstack.org, these include: emailsrvr.com (the MX
provider for openstack.org) and review.openstack.org. jeblair mentioned
on IRC that there may also be an 'openstackid-dev' email sending
account, but I was unable to find any email in my personal account from
that server.
There are two possible solutions:
1) Remove or drastically open the SPF record. Removing the record would
cause all email to resolve spf=none (like lists.o.o does currently), but
prevent openstack.org from gaining any protection against malicious
senders via SPF. Drastically opening the SPF record would be changing
the "~all" to a "+all" which would cause all sent email to pass SPF.
2) Make the SPF record accurate: "v=spf1 include:emailsrvr.com
include:sendgrid.net a:review.openstack.org ~all". For any additional
services that send mail for openstack.org, an additional
"a:my.host.name.openstack.org" would be added to the SPF record. Using
a: syntax for the records also ensures that in the case of something
like the recent gerrit migration, the SPF record would remain valid
without any modification.
There's obviously also a hybrid approach, where we add the known senders
of mail but change "~all" to "+all".
I strongly recommend we pursue option 2 -- this would mean if you know
of any other devices sending mail to @openstack.org, please reply to
this thread with the information so we can draft a valid SPF record.
Thanks,
Jay Faulkner
signature.asc
Description: OpenPGP digital signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev