Skip to content
jbrown-xentity edited this page Apr 26, 2022 · 9 revisions

TODO: https://github.com/GSA/data.gov/issues/3798

Deprecated content, no longer relevant

Data.gov uses postfix with smtp.gsa.gov as a relay to send all email within the BSP environment. BOD 18-01 governs some of our configuration and includes SPF and DMARC.

Note: In October 2020, our sending address was changed to data.gsa.gov for compatibility with GSA's SMTP servers. Eventually, we'd like to be using data.gov again.

Services sending email

Most email we send uses Postfix installed on localhost. Postfix includes some rewrite rules to map mail from localhost to @data.gsa.gov. Some applications still need configuration to work, mostly a correct FROM address.

App Name Description Recipients
catalog.data.gov harvest report Report of the latest harvest job Agency data managers
www.data.gov contact form General questions from the Contact Us form Data.gov support
www.data.gov topic contact form Topic-related contact form Topics contacts
postfix localhost email All kinds of email notifications generated from the system Data.gov technical team

Sender Policy Framework (SPF)

SPF must be configured as per BOD 18-01. It authorizes smtp.gsa.gov (and its SPF record) as authorized senders for the Data.gov domain. That means that any email we send must use the From address of @data.gsa.gov. Mail From localhost or the BSP hostname will be rejected. We have some sender rewrite rules in the postfix config to rewrite sender addresses to @data.gsa.gov in most cases.

dig +noall +answer TXT data.gsa.gov | grep v=spf1
data.gsa.gov.           1800    IN      TXT     "v=spf1 ip4:34.193.244.109 include:gsa.gov ~all"

To update the record, you must open a DNS ticket with GSA.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC must be set as per BOD 18-01. It requires a policy of "reject" if an email fails.

$ dig +noall +answer TXT _dmarc.data.gsa.gov
_dmarc.data.gsa.gov.    1800    IN      TXT     "v=DMARC1; p=reject; fo=1; pct=100; ri=86400; rua=mailto:gsalogin@rua.agari.com,mailto:dmarcreports@gsa.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:gsalogin@ruf.agari.com,mailto:dmarcfailures@gsa.gov"

To update the record, you must open a DNS ticket with GSA.

Agari

We use Agari provided through TTS which processes DMARC aggregate and forensic report analysis and alerting. See (see #admins-dmarc) or @adborden for access.

DomainKeys Identified Mail (DKIM)

DKIM is not implemented.

Note: since GSA also does not implement DKIM, I suspect smtp.gsa.gov would not be able to support DKIM for data.gov.

Clone this wiki locally