Closed brianwc closed 8 years ago
Interesting. Never heard of DMARC before. I can't tell from my quick read of this whether this is something we need to do on our Google Apps configuration for CourtListener or whether this is something Yahoo! and AOL need to do to their servers.
Another thing I don't understand is that the Google document on this topic says:
A message must fail both SPF and DKIM checks to also fail DMARC
Which is weird because our SPF and DKIM should be configured properly...I thought.
Where did we get the failure message above? I don't understand what's happening here, but I can dig in further if I need to.
Note that both your SPF & DKIM can get broken by, among other things, mailing lists; Outlook used through other services (eg gmail); and other remailers.
Which is why I downgraded from p=reject for DMARC. There's just no way to fix these issues w/ 3rd party entities munging my email content and breaking both the SPF and DKIM.
@mlissner A Yahoo email user just reported (by tracking down my home phone number) that her messages are continually bounced by this form.
_dmarc.courtlistener.com doesn't appear to be set.
You probably want it to have a TXT record of this sort:
v=DMARC1; fo=1; p=none; rua=mailto:dmarca@courtlistener.com; ruf=mailto: dmarcf@courtlistener.com
p=none because mailing lists, remailers, Outlook, Yahoo, and gods know what else will fuck up your SPF source & DKIM sig, thereby causing unavoidable DKIM failure.
If this is just a DNS thing, @brianwc, can you put in the needed record?
When we get to this, we should try sending an email to: https://www.mail-tester.com/
So, Google flipped a switch and now we can't even send ourselves messages from the contact form. This is officially very broken. Here's a first test: https://www.mail-tester.com/web-Ys1fvC
I'm researching what we need to do to make DMARC work.
OK, lots of DNS work to fix this, @brianwc. I can do all of this, but I need access to DNS.
There are four pieces to this puzzle:
This seems like a really good time to move the MX records over to Google. The config for that is:
(Sorry, can't copy/paste from it for some reason.)
Once this is done, Google will be hosting email for freelawproject.org.
For our current CourtListener email to work properly, we need a TXT record named google._domainkey
with the value:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvikwBi1z6LLa7I+uT7idU6nXquk+TjpllhXtPc42WqMuUbVKIjSroBPgfv7CmDjTwu8UPa3OBwPhefPDkSkZ5iAU8FsemYkpeJZHrfpW/G4pxunLBmA68mHo+Lf0e2QkPXNxLuifHtHgAqXDSYy/iciNXBxo54jlqUG1LwOMivwIDAQAB
Once that's done, I need to check the dashboard to make sure it's working. This will make it so CourtListener mail from Google will work (i.e., our personal addresses).
Alas, mail from the server needs a second DNS entry to match the key that's set up there (see here for more info on setting up opendkim
and postfix
). The TXT entry should be named mail._domainkey.courtlistener.com.
(with the period) and have a value of:
v=DKIM1; k=rsa; p=AAAAB3NzaC1yc2EAAAADAQABAAAAgQDJLct3k+/zD7Pd48qUJj0Z88dEop5Gl7U94SFHHBqU0dvQEaGpyNkYD693ytpK4+THC0O2cAcB+DPgGIhBTSbCUEvmqf+iyTdvTuWAZKWBMmnVFEAQsl4rTDHHD5Zd+O2Zk8txztXHKdm/zAfG6YlSLpwmvvw33Mr6P9qXSXK9/w==
CourtListener has been signing email with its private key (`/etc/mail/dkim.key), but I think it didn't have the DNS record to match (one testing tool indicated that we do have this set up, but I'm pretty sure we don't). Since the public key seems to have disappeared, I generated it from the private key using:
sudo ssh-keygen -y -f dkim.key
DKIM is pretty much the worst. Let's move on.
We need a TXT record named google._domainkey
with the value:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCL+LSZlNoEJOURS+xH8LRyf2bGER0cH7QOYrHhGPS+731WwSxhJY5zUh2Pgzus4cgAz22ffc2b6QfQd4KTt+w/Pr4DGB0i3DoABgSPhdAuWT/LBSHMgysRefLkPFw4qiSlKosKM775XZLIMergv9OlUf+Ju2O1J1A2+qhQiaAsDwIDAQAB
Once that's done, I need to check the dashboard to make sure it's working.
I checked what was here by using:
dig mail.freelawproject.org any
But SPF, DKIM, and DMARC are not configured. I believe this means that a lot of your mail won't go through, especially since Google is going DMARC strict next year. I'll provide notes for these as I find them. For DKIM, the best guide I've found is Digital Ocean's, though we haven't followed it word for word at CourtListener.
Done!
Google Mail needs an TXT record with the following content:
v=spf1 include:_spf.google.com ~all
mail.freelawproject.org does not have an SPF record. I'm not sure what it should be, but CourtListener has one with a possible example of multiple values. I'm not sure how subdomains are handled either. I do know that it's not a matter of simply adding a second SPF record for mail.flp.org -- Only one SPF record is allowed per domain.
Digital Ocean has an article on SPF records that might be helpful. The info above is from Google's Documentation.
DMARC seems to be a layer on top of SPF and DKIM. If both are working, you're ready to do this too. If this is done with broken DKIM or SPF, your mail will summarily stop. Since mail.flp.org isn't set up, we're about to have issues (more on this in a sec).
From Google's Documentation, create a TXT record named _dmarc.courtlistener.com.
with the value:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org
Note that rua does use flp.org. I'm trying to wind down CL.com email. dmarc-reports@flp.org is an alias to admin@flp.org, which in turn forwards all mail to both of us.
For Google servers, the same process as above can be completed, creating a TXT record named _dmarc.courtlistener.com.
with the value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@freelawproject.org; aspf=r
Note, however, that p=none
and that aspf=r
. This says, in essence, to ignore failures of DKIM and of SPF (p=none), and to allow mail from subdomains (aspf=r). This is not a good way to have this set up, and it will undoubtedly cause us headaches similar to this one later. If you can get SPF and DKIM working for mail.flp.org, then the correct way to set up DMARC for flp.org is:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org; aspf=r
The best place to learn about DMARC is from the RFC, of course. If you want to deploy this slowly, Google has some notes on how to do so, but I think we should go for it, monitoring the reports that come in to dmarc-reports@flp.org.
For CL and FLP, this is currently set to 64-201-244-226.static.paxio.net.
, which is more or less OK, but if we can change it to courtlistener.com. or to freelawproject.org, that'd be better. We'd need Paxio to make the change though.
There are three testing tools I know. Might as well use 'em all:
check-auth@verifier.port25.com
and in reply you'll get a big diagnostic email.UGH!
I think I made all the above changes for FLP & mail.flp (should take until at least 10:33 PST to propagate). CL mail works presently. Let's not break both at the same time. Once you confirm FLP mail is working, I'll fiddle with CL, but it already has most of what is described above. Here's the existing mail-related bits of CL's DNS record:
mail.courtlistener.com. IN CNAME ghs.google.com.
CourtListener.com. IN MX 1 ALT1.ASPMX.L.GOOGLE.COM.
courtListener.com. IN MX 1 aspmx.l.google.com.
CourtListener.com. IN MX 1 ASPMX2.GOOGLEMAIL.COM.
courtlistener.com. IN MX 1 ALT2.ASPMX.L.GOOGLE.COM.
_domainkey.courtlistener.com. IN TXT "o=~\; r=mike@courtlistener.com"
mail._domainkey.courtlistener.com. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJLct3k+/zD7Pd48qUJj0Z88dEop5Gl7U94SFHHBqU0dvQEaGpyNkYD693ytpK4+THC0O2cAcB+DPgGIhBTSbCUEvmqf+iyTdvTuWAZKWBMmnVFEAQsl4rTDHHD5Zd+O2Zk8txztXHKdm/zAfG6YlSLpwmvvw33Mr6P9qXSXK9/wIDAQAB"
courtlistener.com. IN TXT "v=spf1 a mx ptr mx:alt1.aspmx.l.google.com mx:alt2.aspmx.l.google.com mx:aspmx.l.google.com mx:aspmx2.googlemail.com mx:courtlistener.com ?all"
Agree - doing one at a time is smart!
So, I can only test flp.org, not mail.flp.org, and it looks pretty good. DKIM and SPF are all set according to the best test site I've found (10/10). But I'm totally confused because I can't for the life of me find the DKIM record using dig
. I don't know why this is working, and that makes me scared that we're missing some important detail?
Anyway, if this is indeed all set, and if mail.flp.org
also has working SPF and DKIM, I believe the DMARC we need is:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org; aspf=r
I found a DMARC testing site we can use too.
For CourtListener, the testing website currently reports:
And it has bats flying around. Spooky, but appropriate for today, I suppose. Anyway, SPF is failing because:
Maximum void DNS look-ups limit (2) exceeded
Which I think is because our record has stuff from Google that's changed? I think it should be:
v=spf1 a include:_spf.google.com ~all
This translates to:
v=spf1
-- This is an SPF record.a
-- Check the DNS A record for the sender (courtlistener.com) and see if it has the IP of the sending computer (in most cases, this will work for us).include:_spf.google.com
-- Gather Google's SPF records too, and check those.~all
-- This means that anything that hasn't been matched already should be a softfail (~
).DKIM seems to somehow be working for both Google mail and from the server. Do we have both keys set up? Again, I can't find these DNS records?
DMARC needs love, natch -- it's where this whole thing started:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org
We still have the work to do in the above comment, but I left Thunderbird open just in case, and my old inbox at maricopa.sharealike is still getting emails. I think they're mostly from inside the network, like from lists.flp.org
and from mail.flp.org
. Some other emailers were just slow to update their DNS (spammers and such), so I thought the internally-sent emails would eventually stop, but I'm beginning to suspect there's something amiss.
So, got another email to maricopa.flp.org from lists.flp.org, so something is definitely amiss there.
Just got another email with:
I apologize if you received this twice. I received an undeliverable email notification when I used the Court Listener Contact Us.
We really need to address this once we get the FLP server back online. @brianwc, if you can give me the permissions needed, I'll be happy to get this done.
DMARC testing site now reports 8.8/10, dinging us mainly for the paxio rdns issue that is out of our hands and because my test email didn't contain an html version.
This looks about right to me too. Thanks for wrapping this up.
When Yahoo! and a few others changed their DMARC policies last year it also broke web forms all over the internet. If someone types their yahoo.com email address into the CL contact form, then since we deliver it to courtlistener email addresses hosted by Google, Google respects Yahoo's DMARC policy and rejects the mail because it did not actually originate from yahoo.com. Same goes for Comcast and AOL email addresses. So, we've been silently (from our perspective) rejecting many contacts. The sender gets an undelivered mail message, but would have to be persistent to figure out how to tell us about it. There are apparently a few settings we can tweak in our form that will fix this.
Relevant details are here: http://www.fastsecurecontactform.com/yahoo-com-dmarc-policy
Example Undelivered Mail Returned to Sender response (with email addresses snipped): Subject: Undelivered Mail Returned to Sender
----- Forwarded Message -----
This is the mail system at host courtlistener.com.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
host ALT2.aspmx.l.google.com[173.194.219.27] said: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 http://support.google.com/mail/answer/2451690to learn about DMARC 550 5.7.1 initiative. y62si3351501yhc.175 - gsmtp (in reply to end of DATA command)