polyester
commented
8 months ago Note: there is also still lists.plone.org (which is almost completely outside our control). It may be worth it to move the few lists that are still there to google workspace.
Moved as issue from another repo. We need multiple steps here,
Add SPF txt record to plone.org domain for all servers allowed to send outgoing e-mail. This shouldn't be many as most of our own services/plone sites should use mailgun as their outgoing smtp host. And we neeed to include google for our google workspace e-mail.
DKIM signs all outgoing e-mails with an encrypted hash calculated over several fields in the e-mail with a public/private key pair. The public part of the key is stored under a label on a txt record on plone.org domain. receiving smtp servers can request the public key and verify the integrity of the e-mail.
DMARC sets a policy on the plone.org domain that other SMTP-servers can retrieve to see what the owners of plone.org would like to have checked SPF and DKIM wise.
When we start adding SPF and DKIM, we should first set the DMARC policy to be lenient and only report failing validations. It is also posible to set a reporting server address in the DMARC policy where smtp servers can repot the issue with one post request.
Once plone.org is fixed, we should also look at other domains like ploneconf.org