search

shorebirdtech / shorebird

Code Push for Flutter and other tools for Flutter businesses.
https://shorebird.dev
Other
2.11k stars 125 forks source link

fix: shorebird.dev DKIM/SPF/DMARC not fully set up #1626

Open eseidel opened 6 months ago

eseidel commented 6 months ago

Not entirely sure why.

From using: https://www.learndmarc.com/

neo.learndmarc.com
>> Running DKIM
------------------
I see you've included a DKIM signature. I've retrieved the public key from 20230601._domainkey.shorebird-dev.20230601.gappssmtp.com
The signature passed validation. The Auth Result is pass.

neo.learndmarc.com
>> Running DMARC
------------------
I've found the following DMARC policy at _dmarc.shorebird.dev: "v=DMARC1; p=none; rua=mailto:dmarc-reports@shorebird.dev".
Found policy: none.

The DMARC record does not specify the 'aspf' and 'adkim' elements, causing them to default to 'r' (relaxed).
This means that any subdomains are ignored by the alignment check. In relaxed mode, foo.example.com aligns with bar.example.com. In strict mode, the alignment will fail.

neo.learndmarc.com
>> Running Identifier Alignment verification
--------------------------------------------
SPF domain shorebird.dev aligns with the RFC5322.From domain shorebird.dev. Alignment is pass.
DKIM domain does not align with RFC5322.From domain (gappssmtp.com != shorebird.dev). Alignment mode: relaxed.

neo.learndmarc.com
>> Finalizing DMARC
-------------------
SPF auth result is pass and SPF domain is in alignment. DMARC SPF result is pass.
DKIM auth result is pass, but the DKIM domain is not in alignment. DMARC DKIM result is fail.

Because the SPF test passed and the domains are in alignment, the DMARC result is pass.

https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F180504%3Fhl%3Den&assistant_id=generic-unu&product_context=180504&product_name=UnuFlow&trigger_context=a

eseidel commented 2 months ago

Also our DMARC is currently set to "p=none" rather than "p=reject" which is what it probably should be. Basically our DMARC just causes mail to come to me, it doesn't actually cause receivers to reject mail that didn't originate from us.

FYI @bryanoltman as this may affect our mailer code.

eseidel commented 1 month ago

Reasons to do this:

  1. We have to eventually.
  2. W/o it we get script kiddies sending us "OMG your site has a vulnerability plz pay me" emails.
  3. Would improve delivery of our mailing list.