addons icon indicating copy to clipboard operation
addons copied to clipboard

Published 20 hours ago verified publisher icon mozilla

AMO should use a sender of its own domain for outbound emails

Open bqbn opened this issue 10 months ago • 4 comments

Describe the problem and steps to reproduce it:

Outbound emails from AMO sometimes appear to be sent from domains other than its own. For instance, some outbound emails are observed as originating from [email protected]. Meanwhile, AMO uses a different email provider than mozilla.org does for sending emails. This arrangement works because the DMARC policy of mozilla.org is relatively permissive. Presently, the DMARC policy of mozilla.org is as follows:

$ dig +short _dmarc.mozilla.org TXT
"v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:[email protected],mailto:[email protected]"

This situation may lead to email reception issues in the long term.

What happened?

What did you expect to happen?

I propose that we explore the possibility of sending emails using the appropriate domain for each environment. For example, in the staging environment, we could use [email protected] as the sender, while in production, we would use [email protected].

This approach would enable us to configure distinct DMARC policies for each environment, without being dependent on the DMARC policies established by our parent domain.

Anything else we should know?

As for rollout, we should proceed env by env, ensuring that email sending functions correctly for one env before moving on to the next.

┆Issue is synchronized with this Jira Task

bqbn avatar Apr 10 '24 23:04 bqbn

See also https://github.com/mozilla/addons/issues/6637. Stealing my comment from that issue, we have the following settings governing what From we use:

  • ADDONS_EMAIL (or its alias DEFAULT_FROM_EMAIL), which is "Mozilla Add-ons <[email protected]>"
  • NOTIFICATIONS_FROM_EMAIL, which is "notifications@%s" % settings.INBOUND_EMAIL_DOMAIN, where INBOUND_EMAIL_DOMAIN is coming from an env variable (defaults to addons.mozilla.org). In addition the name of the user that triggered the activity message is added before the email.

diox avatar Apr 11 '24 09:04 diox

Less of a priority now that DMARC setup has been adjusted to verify our emails as valid in https://mozilla-hub.atlassian.net/browse/IO-2807

Although it's probably a good idea still to move to addons.mozilla.org and make sure we have DMARC setup for that domain as well.

diox avatar Apr 15 '24 08:04 diox

Yeah, let's wait and see how the new DMARC setup works and then make a decision on this ticket later.

bqbn avatar Apr 15 '24 21:04 bqbn

Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDSRV-795

KevinMind avatar May 03 '24 18:05 KevinMind