Page MenuHomePhabricator

Set up SPF records for domains we control
Closed, ResolvedPublic

Description

We should eventually configure SPF DNS records for phabricator.org (none), phacility.com (Google Domains), and phabricator.com (SES). This would reduce an attacker's ability to create email which appeared to originate from the Phabricator system or our corporate accounts.

I think the risk here is very low and SPF is not trivial to understand and test, so I don't plan to do this anytime soon, although we should probably do it before we do anything with payments.

Event Timeline

epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Mail.
epriestley added subscribers: epriestley, btrahan, chad.

Support Impact This is just support impact from HackerOne researchers each reporting this issue. We should resolve it before SAAS.

epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.

I think these are done:

  • phacility.com should now have valid SPF records (Google Domains at the apex, Mailgun at subdomains).
  • phacility.net should now have valid SPF records (no mail).
  • phabricator.org should now have valid SPF records (no mail).

These aren't, yet:

  • phabricator.com needs SPF, but I may want to switch it to Mailgun. (I'm using Mailgun over SES because Mailgun handles inbound mail too.)

Phacility part of this seems to be holding, we don't need to address phabricator.com as a launch item.

This is mostly configured and has calmed to a quiet background hum on HackerOne.

revi added a subscriber: revi.Sep 27 2015, 2:42 AM
epriestley closed this task as Resolved.Dec 12 2016, 9:44 PM
epriestley claimed this task.

This got done at some point, I believe, since we have an SPF record now.