Page MenuHomePhabricator
Create Task
Maniphest T4439

Set up SPF records for domains we control
Closed, ResolvedPublic
Actions

Description

We should eventually configure SPF DNS records for phabricator.org (none), phacility.com (Google Domains), and phabricator.com (SES). This would reduce an attacker's ability to create email which appeared to originate from the Phabricator system or our corporate accounts.

I think the risk here is very low and SPF is not trivial to understand and test, so I don't plan to do this anytime soon, although we should probably do it before we do anything with payments.

Event Timeline

epriestley created this task.Feb 16 2014, 4:32 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Mail.
epriestley added subscribers: epriestley, btrahan, chad.
epriestley added a project: Support Impact.Oct 3 2014, 4:20 AM

Support Impact This is just support impact from HackerOne researchers each reporting this issue. We should resolve it before SAAS.

epriestley added a project: Phacility.Nov 22 2014, 8:19 PM
epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.
epriestley added a comment.Nov 22 2014, 8:54 PM

I think these are done:

  • phacility.com should now have valid SPF records (Google Domains at the apex, Mailgun at subdomains).
  • phacility.net should now have valid SPF records (no mail).
  • phabricator.org should now have valid SPF records (no mail).

These aren't, yet:

  • phabricator.com needs SPF, but I may want to switch it to Mailgun. (I'm using Mailgun over SES because Mailgun handles inbound mail too.)
epriestley removed a project: Phacility.Dec 6 2014, 3:50 PM

Phacility part of this seems to be holding, we don't need to address phabricator.com as a launch item.

epriestley removed a project: Support Impact.Jan 5 2015, 11:50 PM

This is mostly configured and has calmed to a quiet background hum on HackerOne.

revi added a subscriber: revi.Sep 27 2015, 2:42 AM
Herald added subscribers: cspeckmim, andypuettmann. · View Herald TranscriptSep 27 2015, 2:42 AM
cspeckmim removed a subscriber: cspeckmim.Oct 7 2015, 2:50 AM
epriestley closed this task as Resolved.Dec 12 2016, 9:44 PM
epriestley claimed this task.

This got done at some point, I believe, since we have an SPF record now.

Herald added a subscriber: eadler. · View Herald TranscriptDec 12 2016, 9:44 PM
Phabricator · Built by Phacility