Last modified: 2014-10-22 16:32:53 UTC
Yahoo recently changed their DMARC configuration, which has two results that are relevant for us: 1) It's no longer possible to send e-mails From: someone@yahoo.com, even if it's allowed from an SPF point of view (i.e. 'someone@yahoo.com via wikipedia.org'). This means Yahoo users cannot send e-mail from the wiki anymore. 2) It's no longer possible to change parts of an e-mail (e.g. the subject to add a mailing list name) sent by a Yahoo user. This means Yahoo users cannot send e-mail to a mailing list anymore. If they do try to, they will receive a flood of error mails from mail servers rejecting the e-mail. See http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html for more info on issue 2). For issue 1), we might want to block Special:SendEmail for people with a @yahoo.com address, telling them their e-mail will not be delivered.
How is this a Wikimedia bug? Is there any workaround? Seb35 hinted yes: (In reply to Seb35 from comment #22) > could [...] implement[...] DMARC(+DKIM+SPF) on wikimedia.org to > improve delivrability for this bug, *BUT* this could lead to heavy > consequences on other @wikimedia.org emails (like non-delivery) so it must > be carefully thought before action. Anyway, if working around this requires special DNS settings something should (also) be done in core.
At the very least, it's good to have a place to keep track of the issue, even if we don't intend to solve it ourselves. Secondly, there are some options for working around this in Mediawiki; 1) by blocking Yahoo users from using Special:SendEmail, or 2) by changing the SendEmail sender to noreply@wikimedia.org, and adapting Reply-To (not sure if this works), or 3) 2), but by letting people reply through the wiki.
It would be nice if these deficiencies for Yahoo! users were also noted prominently on the sign-up pages and not only show up on Special:SendEmail & Co. so that users can reconsider their choice of mail provider /before/ being handicapped.
I removed the "mailing lists" issue from this bug since it is a different software, different domain, and sort of different email function ("relay" vs "original on behalf of"); created bug 64818 for this. As a resume of the proposed solution above, there are three solutions (at least): (1) a quick one: set Wikimedia’s $wgUserEmailUseReplyTo to true. This would apply for all users, kind of functionality loss for me since the user no longer see who is the "sender". (2) a more robust one: patch MediaWiki to decide on a domain-by-domain basis if $wgUserEmailUseReplyTo should be used. Yahoo and AOL would fall into the first case, others not. This would add inconsistency from an user to another, and hence a bit more difficult to document and explain to users. (3) a radical one: patch MediaWiki to blacklist some domains from sending user-to-user emails and add a warning if users use such domains.
I don’t think (3) is a good solution since it’s a loss of functionality for DMARC senders and it would add as much code as (2). Between (1) and (2) and status quo, it depends if: * we want show Yahoo, AOL, and other DMARC email providers that DMARC should not be still used → status quo (DMARC senders think they could send emails throught MediaWiki although they couldn’t – I don’t know if the sender of a user-to-user email is warned if the email don’t reach the destination) * we think DMARC is a rather bad solution but we want to mitigate it and we don’t want to penalise non-DMARC senders, and we think DMARC will not be widely implemented as it is currently (still not an IETF RFC) → solution (2) * we think DMARC will be widely implemented in the near future (without proper solution to send an email on behalf of somebody), or we want a quick and/or transitional solution → solution (1) I feel the more conservative approach would be to choose (1) and see how things evolve, particularly given DMARC is not really standardised as of now and only a big-scale experiment by Yahoo and AOL.
*** Bug 65860 has been marked as a duplicate of this bug. ***
Has anyone considered allowing editors to connect directly to Yahoo SMTP servers, or contacting yahoo at dmarc-help@yahoo-inc.com to discuss authentication and configuration options?
I assume it would be wise to globally let users know that they can't send email through their yahoo mail. it could be a message in Special:SendEmail.
In response to Nemo, it is a Wikimedia bug. It's spoofing a From address. The user's email address shouldn't be used for this - using reply-to is quite adequate. And for the record, Gmail has also been flagging these emails as 'suspicious' for the last few months. So it wouldn't be surprising if they started rejecting them altogether.
That's a different (but equally valid) issue (SPF vs DMARC). The SPF issue can be solved with sender rewriting. I'm surprised that hasn't been implemented yet, to be honest. Switching to a 'noreply@wikimedia.org' sender + reply-to header would solve both issues in MW, I think, and it should be a fairly simple change -- although it would require a new configuration variable for the new sender.
*** Bug 70930 has been marked as a duplicate of this bug. ***
*** Bug 72363 has been marked as a duplicate of this bug. ***
