-
Notifications
You must be signed in to change notification settings - Fork 109
TODO: https://github.com/GSA/data.gov/issues/3798
Data.gov uses postfix with smtp.gsa.gov as a relay to send all email within the BSP environment. BOD 18-01 governs some of our configuration and includes SPF and DMARC.
Note: In October 2020, our sending address was changed to data.gsa.gov for compatibility with GSA's SMTP servers. Eventually, we'd like to be using data.gov again.
Most email we send uses Postfix installed on localhost. Postfix includes some rewrite rules to map mail from localhost to @data.gsa.gov. Some applications still need configuration to work, mostly a correct FROM address.
App | Name | Description | Recipients |
---|---|---|---|
catalog.data.gov | harvest report | Report of the latest harvest job | Agency data managers |
www.data.gov | contact form | General questions from the Contact Us form | Data.gov support |
www.data.gov | topic contact form | Topic-related contact form | Topics contacts |
postfix | localhost email | All kinds of email notifications generated from the system | Data.gov technical team |
SPF must be configured as per BOD 18-01. It authorizes smtp.gsa.gov (and its SPF record) as authorized senders for the Data.gov domain. That means that any email we send must use the From address of @data.gsa.gov. Mail From localhost or the BSP hostname will be rejected. We have some sender rewrite rules in the postfix config to rewrite sender addresses to @data.gsa.gov in most cases.
dig +noall +answer TXT data.gsa.gov | grep v=spf1
data.gsa.gov. 1800 IN TXT "v=spf1 ip4:34.193.244.109 include:gsa.gov ~all"
To update the record, you must open a DNS ticket with GSA.
DMARC must be set as per BOD 18-01. It requires a policy of "reject" if an email fails.
$ dig +noall +answer TXT _dmarc.data.gsa.gov
_dmarc.data.gsa.gov. 1800 IN TXT "v=DMARC1; p=reject; fo=1; pct=100; ri=86400; rua=mailto:gsalogin@rua.agari.com,mailto:dmarcreports@gsa.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:gsalogin@ruf.agari.com,mailto:dmarcfailures@gsa.gov"
To update the record, you must open a DNS ticket with GSA.
We use Agari provided through TTS which processes DMARC aggregate and forensic report analysis and alerting. See (see #admins-dmarc) or @adborden for access.
DKIM is not implemented.
Note: since GSA also does not implement DKIM, I suspect smtp.gsa.gov would not be able to support DKIM for data.gov.