Page MenuHomePhabricator

Set up SPF records for domains we control
Closed, ResolvedPublic


We should eventually configure SPF DNS records for (none), (Google Domains), and (SES). This would reduce an attacker's ability to create email which appeared to originate from the Phabricator system or our corporate accounts.

I think the risk here is very low and SPF is not trivial to understand and test, so I don't plan to do this anytime soon, although we should probably do it before we do anything with payments.

Event Timeline

epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Mail.
epriestley added subscribers: epriestley, btrahan, chad.

Support Impact This is just support impact from HackerOne researchers each reporting this issue. We should resolve it before SAAS.

I think these are done:

  • should now have valid SPF records (Google Domains at the apex, Mailgun at subdomains).
  • should now have valid SPF records (no mail).
  • should now have valid SPF records (no mail).

These aren't, yet:

  • needs SPF, but I may want to switch it to Mailgun. (I'm using Mailgun over SES because Mailgun handles inbound mail too.)

Phacility part of this seems to be holding, we don't need to address as a launch item.

This is mostly configured and has calmed to a quiet background hum on HackerOne.

epriestley claimed this task.

This got done at some point, I believe, since we have an SPF record now.