Closed Bug 1839077 Opened 2 years ago Closed 6 days ago

Set up DKIM, SPF, DMARC records for mozilla.ro domain

Categories

(Infrastructure & Operations :: DNS and Domain Registration, defect)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: cristian.silaghi, Assigned: gcox)

Details

I was informed a long time ago that email spoofing could be possible due to the lack of DMARC records for mozilla.ro.

Can you please set up DMARC records for us?

Michael, can you help us?

Flags: needinfo?(me)

I am not involved with the Community sites anymore, and in fact never actually had access to do these operations. At this point I unfortunately also don't know who could actually help here, sorry.

Flags: needinfo?(me)

hey not sure what happened here

what gsuite account are the emailed managed in im not seeing them in our community one ?

(In reply to Stefan Costen [Costenslayer [MCWS]] from comment #3)

hey not sure what happened here

what gsuite account are the emailed managed in im not seeing them in our community one ?

Huh? I don't quite understand your question. 🤔

Flags: needinfo?(stefancosten)

Can you help us with this? 🤔

Flags: needinfo?(konstantina)

As far as I understand, in order to enable DMARC, DKIM and SPF need to be enabled first
https://support.google.com/a/answer/2466580?sjid=15564686547441391421-EU

Mozilla only manages the domain and DNS, it doesn't have access to Google Apps for the mozilla.ro domain.

For DKIM, it looks like a record needs to be generated from the console, and the value put it in a TXT record
https://support.google.com/a/answer/174124?hl=en

Assignee: nobody → infra
Component: Mozilla Community Sites → DNS and Domain Registration
Flags: needinfo?(stefancosten)
Flags: needinfo?(konstantina)
Product: Websites → Infrastructure & Operations
Summary: Set up DMARC records on @mozilla.ro → Set up DKIM, SPF, DMARC records for mozilla.ro domain

(In reply to Francesco Lodolo [:flod] from comment #6)

As far as I understand, in order to enable DMARC, DKIM and SPF need to be enabled first
https://support.google.com/a/answer/2466580?sjid=15564686547441391421-EU

Mozilla only manages the domain and DNS, it doesn't have access to Google Apps for the mozilla.ro domain.

For DKIM, it looks like a record needs to be generated from the console, and the value put it in a TXT record
https://support.google.com/a/answer/174124?hl=en

https://easydmarc.com/tools/spf-lookup?domain=mozilla.ro

SPF is enabled, but DKIM is not.

I have access to Google Apps for the mozilla.ro domain, but I don’t have access to manage its DNS records.

I can generate the DKIM record in https://admin.google.com/, but... who can update the DNS records for mozilla.ro to add the DKIM I generate? 🤔

Please add the DKIM record here, I'll see if I can find someone to look at this bug next week.

The SPF record looks incorrect if you're only sending emails from the web interface

 v=spf1 ip4:46.105.10.235 mx ~all

Looks like this was set up to send emails from an OVH server, likely the old VPS.

(In reply to Francesco Lodolo [:flod] from comment #8)

Please add the DKIM record here, I'll see if I can find someone to look at this bug next week.

The SPF record looks incorrect if you're only sending emails from the web interface

 v=spf1 ip4:46.105.10.235 mx ~all

Looks like this was set up to send emails from an OVH server, likely the old VPS.

Here you go.

DNS Host name (TXT record name):
google._domainkey

TXT record value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwABkdNrSLPmjtYPuXLwZJCG0XjG94Rrs+sq98k01wslUTT7U6dPCC966A2JgFS+2K+9bv61/XL0QG1p3IItLWOyRz7AXRIBnKe0B5SoPQA0rHudDfoULsC/j5BJHxHrXrfyS1vzwyPGhEm5YUw2dwU44FA3cXF1dGtYUiOrjrP2RgsnKttIqReUThKOgAMrOfWTBOZPRaG5bLY388X/kysNMpLV9l0/kI6GFIdVr722CiRVsPg1L3ikx035rnHtTWq3lU+qxoZLyHdbiKYAG/7GiBX8QB8CF9vJSXb+GFPywCWUKPSPYuFmk5ElBOIz7isWt+mJ8hdQkK4yNDUbvewIDAQAB

After the DKIM record is successfully added to the domain's DNS settings, I will need to press 'Start authentication' on the same page where I generated the DKIM record. 🤔

(In reply to Cristian Silaghi from comment #9)

(In reply to Francesco Lodolo [:flod] from comment #8)

The SPF record looks incorrect if you're only sending emails from the web interface

No changes made to SPF. If you want changes, let me know what you want.

DNS Host name (TXT record name):
google._domainkey

Because the DKIM key was 2048b, the TXT record came out to be ~410char, and our DNS has a 255char limit on TXT, I had to split the key into 2 records, which (despire dig +short @1.1.1.1 google._domainkey.mozilla.ro TXT looking awkward) seems to be spec-acceptable for long keys? If it works, great, if not, circle back with a 1024b key (which I know will fit), or we can dig in on this some more.

(In reply to Greg Cox [:gcox] from comment #10)

No changes made to SPF. If you want changes, let me know what you want.

Since we no longer use the old OVH server, I guess we need the following SPF record:

 v=spf1 include:_spf.google.com ~all

This should be enough, right? 🤔

Because the DKIM key was 2048b, the TXT record came out to be ~410char, and our DNS has a 255char limit on TXT, I had to split the key into 2 records, which (despire dig +short @1.1.1.1 google._domainkey.mozilla.ro TXT looking awkward) seems to be spec-acceptable for long keys? If it works, great, if not, circle back with a 1024b key (which I know will fit), or we can dig in on this some more.

Google tells me, "Please allow 48 hours for DNS to update and make sure you entered the correct TXT record into your domain provider's DNS settings page." I'll wait a bit before trying again to start authentication.

(In reply to Cristian Silaghi from comment #11)

Since we no longer use the old OVH server, I guess we need the following SPF record:

 v=spf1 include:_spf.google.com ~all

This should be enough, right? 🤔

I'm no expert on SPF, so "you asked for it and it doesn't trip any alarms in my head, I do it."
Was "v=spf1 ip4:46.105.10.235 mx ~all" now v=spf1 include:_spf.google.com ~all

I'll wait a bit before trying again to start authentication.

okeydokey, happy weekend to ya.

(In reply to Greg Cox [:gcox] from comment #12)

(In reply to Cristian Silaghi from comment #11)

Since we no longer use the old OVH server, I guess we need the following SPF record:

 v=spf1 include:_spf.google.com ~all

This should be enough, right? 🤔

I'm no expert on SPF, so "you asked for it and it doesn't trip any alarms in my head, I do it."
Was "v=spf1 ip4:46.105.10.235 mx ~all" now v=spf1 include:_spf.google.com ~all

I'll wait a bit before trying again to start authentication.

okeydokey, happy weekend to ya.

Looks like it still doesn't work. 🤔 Perhaps the DKIM key is not split correctly?

Can you try with this tool? https://mailhardener.com/tools/dns-record-splitter

I would prefer using a 2048-bit DKIM key, since it offers much stronger cryptographic security.

From what I see now, we have this set for DKIM:

v=DKIM1;k=rsa;p="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwABkdNrSLPmjtYPuXLwZJCG0XjG94Rrs+sq98k01wslUTT7U6dPCC966A2JgFS+2K+9bv61/XL0QG1p3IItLWOyRz7AXRIBnKe0B5SoPQA0rHudDfoULsC/j5BJHxHrXrfyS1vzwyPGhEm5YUw2dwU44FA3cXF1dGtYUiOrjrP2RgsnKttIqReUThKOgAMrOf", "WTBOZPRaG5bLY388X/kysNMpLV9l0/kI6GFIdVr722CiRVsPg1L3ikx035rnHtTWq3lU+qxoZLyHdbiKYAG/7GiBX8QB8CF9vJSXb+GFPywCWUKPSPYuFmk5ElBOIz7isWt+mJ8hdQkK4yNDUbvewIDAQAB"

I assume the problem is that the quotes are only used around the value of p.

Because there’s an example from Google showing that quotes should be used around the entire TXT value, not just for p: https://support.google.com/a/answer/11612790

Can you try this?

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwABkdNrSLPmjtYPuXLwZJCG0XjG94Rrs+sq98k01wslUTT7U6dPCC966A2JgFS+2K+9bv61/XL0QG1p3IItLWOyRz7AXRIBnKe0B5SoPQA0rHudDfoULsC/"

"j5BJHxHrXrfyS1vzwyPGhEm5YUw2dwU44FA3cXF1dGtYUiOrjrP2RgsnKttIqReUThKOgAMrOfWTBOZPRaG5bLY388X/kysNMpLV9l0/kI6GFIdVr722CiRVsPg1L3ikx035rnHtTWq3lU+qxoZLyHdbiKYAG/7GiBX8QB8CF9vJSXb+GFPywCWUKPSPYuFmk5ElBOIz7isWt+mJ8hdQkK4yNDUbvewIDAQAB"

I'm hopeful it will work once we set it up like this. 🤔

It worked now! 😊 DKIM authentication is now set.

So the last thing remaining is DMARC, am I right? I’m not exactly sure how it should be set up. 🤔

DKIM notes for Future Me:

  • Infoblox says a record can only be 255ch, and it complains if you go longer.
  • infoblox doesn't aim you at the real solution, that one 'record' in the GUI can have multiple values if you just put a space in the value.
  • there's a lot of theoretical notes out there in searches, but very little practical. There's a lot of distractions here between "add quotes" and "it's BIND so do a parentheses wrapper" and "do multiple GUI records for the same name."
  • quotes doesn't help here, they're actually harmful. It's "just add spaces"
  • the actual placement of the split doesn't matter so long as you don't go long; multiple joins can happen and it doesn't have to be perfect, according to the spec.
  • THAT SAID, drop the spaces at the beginning (i.e. v=DKIM1;k=rsa;p=BLAH not v=DKIM1; k=rsa; p=BLAH) - it's spec-valid and makes character counts / pastes easier.

Can you set the following DMARC for us?

v=DMARC1; p=reject; adkim=s; aspf=s

I guess this should be enough. 🤔

Alrighty, strict modes incoming. Added:
_dmarc.mozilla.ro TXT v=DMARC1;p=reject;adkim=s;aspf=s

Thanks for all the help, Greg.

I can see DMARC and DKIM correctly: https://mxtoolbox.com/SuperTool.aspx?action=dkim%3amozilla.ro%3a_domainkey.google&run=toolpage

Note that we're investigating a separate problem with the address being bounced by mozilla.com (that's on service desk plate).

Assignee: infra → gcox
Status: NEW → RESOLVED
Closed: 6 days ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.