https://bugs.kde.org/show_bug.cgi?id=496312
Bug ID: 496312
Summary: DMARC/DKIM/SPF Issues with emails sent from bugzilla
Classification: Websites
Product: bugs.kde.org
Version: unspecified
Platform: Other
OS: All
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: sysad...@kde.org
Reporter: swens...@cassens.com
CC: she...@kde.org
Target Milestone: ---
SUMMARY
Emails sent from this forum may fail to land in the user's inbox due to Domain
Spoofing, which leads to DMARC/DKIM/SPF failure. This is because the emails
are listed as being "FROM" the poster's actual email instead of from the bug
site's address. As a result, if the poster's domain enforces the above rules,
the email fails authentication, since it is coming from kde.org's mail servers
instead of the listed "FROM" user's mail servers. This is improper and causes
messages to be flagged as spam or never delivered. My organization respects
these rules and will not deliver the mail to the user's inbox if such security
checks do not pass.
Mail header as follows: (responding forum user has a web.de address)
dkim=none;
dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM"
header.from=web.de (policy=quarantine);
spf=pass (relay.mimecast.com: domain of bugzilla_nore...@kde.org
designates 46.43.1.242 as permitted sender)
smtp.mailfrom=bugzilla_nore...@kde.org
Received: from letterbox.kde.org (letterbox.kde.org [46.43.1.242]) by
relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
cipher=TLS_AES_256_GCM_SHA384) id us-mta-480-qt_fYBHrP16R2jPQ_T9x4g-1; Fri,
15 Nov 2024 11:23:36 -0500
X-MC-Unique: qt_fYBHrP16R2jPQ_T9x4g-1
X-Mimecast-MFC-AGG-ID: qt_fYBHrP16R2jPQ_T9x4g
Received: from phoeni.kde.org (phoeni.kde.org [IPv6:2a01:4f8:a0:600e::3])
by letterbox.kde.org (Postfix) with ESMTPS id 6BDD333BACA
for <swens...@cassens.com>; Fri, 15 Nov 2024 16:14:25 +0000 (GMT)
Received: from www-data by phoeni.kde.org with local (Exim 4.95)
(envelope-from <bugzilla_nore...@kde.org>)
id 1tByxk-001BsI-Sh
for swens...@cassens.com;
STEPS TO REPRODUCE
1. Ensure your mail server is enforcing DMARC/DKIM/SPF
2. Have a user with an email address/domain which enforces DMARC/DKIM/SPF reply
to a bug post you have made
OBSERVED RESULT
Mail is sent with improper "FROM" address, causing the mail to fail domain
authentication policies and be rejected.
EXPECTED RESULT
Mail should be sent with a kde.org address in the FROM field (user's email
address could still be in the email description/name area), so that the mail
can be authenticated against kde.org's DMARC/DKIM/SPF rules, which it should
pass.
ADDITIONAL NOTES
As noted, SPF is technically not failing, because it is looking up the info for
the domain sending the mail, finding that the mail did in fact come from an
authorized mail server for kde.org
web.de has a DMARC record telling other mail servers to quarantine and report
messages which fail DMARC
The specific aspect of failure, alignment, is discussed here:
https://en.wikipedia.org/wiki/DMARC#Alignment
--
You are receiving this mail because:
You are watching all bug changes.
