In notify-mailer, policy.ValidEmail sometimes rejects valid e-mail addresses

[jprenken]

Boulder checks the Public Suffix List (among other things) to disallow registering with an invalid e-mail address. However, the PSL changes from time to time (and/or the check was once more permissive). The policy.ValidEmail check keeps notify-mailer from being able to e-mail certain existing subscribers.

Most of the affected e-mail addresses are invalid, but not all: a few ICANN TLDs in the Public Suffix List do have MX records, and are apparently actively used for e-mail. notify-mailer will skip them:

skipping "redacted": contact e-mail "redacted" has invalid domain : Domain name is an ICANN TLD

[aarongable]

Update: we already check the public suffix list when ingesting email addresses, so we should stop checking it when sending mail (we expect the undeliverable rate to remain low, and this will prevent false-negatives).

[beautifulentropy]

Dropping this until we have data from contact-auditor runs. A ticket has been opened with SRE to get this deployed and run.

[beautifulentropy]

Checked in with SRE and confirmed this will run during the next week's sprint. Bumping to a check-in and potential action next sprint.

[beautifulentropy]

Checked in with SRE and this has been bumped another week due to ongoing work of higher priority.

[jprenken]

A contact-auditor run:

• Confirmed that Domain name is an ICANN TLD is the only case where a valid email is being rejected.
• Exposed #6231.

[aarongable]

Plan: close https://github.com/letsencrypt/boulder/pull/7212 since we have decided we don't actually want to accept these email addresses, and update our mailers to silently ignore such failures instead of logging them, and act as though the email was sent so that we don't keep retrying.