Add DMARC policy and verifications to mailing lists

[butlerpd]

The SasView domain currently does not have any DMARC policy set and thus no SPF policy or DKIM signatures. This can cause some receiving servers to mark it as spam (and also could allow spoofing our domain in emails). We should set up up mailman to properly digitally sign all outgoing email and add appropriate entries into the SasView DNS records as explained in the help links below. As recommended we should start by setting policy to none but receive updates on when SPF and DKIM fail. Once those seem to be working we should up the required compliance level.

Useful resources: DMARC

• What and how to:
  • https://www.esecurityplanet.com/applications/how-to-set-up-and-implement-dmarc-email-security/
  • https://support.google.com/a/answer/2466580?hl=en&ref_topic=2759254
  • https://mxtoolbox.com/dmarc/details/how-to-setup-dmarc

DKIM signing for Mailman

• https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html
• https://doc.coker.com.au/internet/dkim-and-mailing-lists/
• https://askubuntu.com/questions/134725/setup-dkim-domainkeys-for-ubuntu-postfix-and-mailman

Verifications

• https://support.google.com/mail/answer/9981691?visit_id=637542582332398301-187864161&rd=1#zippy=%2Cdomain-reputation%2Cauthentication%2Cencryption
• https://mxtoolbox.com/dmarc.aspx?referrer=dmarcsetupno6
• https://dkimvalidator.com/

Domain Reputation

• https://transparencyreport.google.com/safe-browsing/search

[butlerpd]

Note that as per some of the resources above, the UTK OIT folk strongly suggest implementing DMARC and point out that we can start with DMARC p=none to minimize disruption.

[krzywon]

Should this be transferred to sasview/sasmeta?

[butlerpd]

yes -- I'll move it.