This repository has been archived by the owner. It is now read-only.

create an SPF record #2235

Closed
chadwhitacre opened this Issue Apr 3, 2014 · 6 comments

Comments

Projects
None yet
3 participants
@chadwhitacre
Contributor

chadwhitacre commented Apr 3, 2014

This is a security issue, because w/o an SPF record it's easy to spoof email.

Per the Freshdesk docs, I've set up the following SPF record:

v=spf1 include:email.freshdesk.com -all

I went for -all instead of ~all because we only send from Freshdesk. We have no regular email user accounts.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Apr 3, 2014

cc: @bruceadams @pjf @patcon Let's give this a little time to propagate and then would you mind helping me test this out? We just want to make sure our emails from support@ are getting through to people.

@chadwhitacre chadwhitacre reopened this Apr 3, 2014

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Apr 3, 2014

I guess I'll reopen until we've confirmed this is working properly.

@chadwhitacre chadwhitacre added TeamX ★ and removed ★★★ labels Apr 3, 2014

@pjf

This comment has been minimized.

Contributor

pjf commented Apr 3, 2014

I've sent in a test email to Freshdesk. I'm day-passing at the moment, but if anyone sends a simple reply, I can make sure that the SPF records are cleared by SpamAssassin.

@pjf

This comment has been minimized.

Contributor

pjf commented Apr 3, 2014

Except apparently my SpamAssassin isn't running with SPF checks. So please ignore me for now. :)

@patcon

This comment has been minimized.

Contributor

patcon commented Apr 3, 2014

Working fine on stock gmail as per http://gittip.freshdesk.com/helpdesk/tickets/145

Who reported this? Was it to security@gittip.com? If so, can I add details to security.txt to give proper cred before closing?

chadwhitacre added a commit that referenced this issue Apr 3, 2014

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Apr 3, 2014

@patcon We still advertise chad@zetaweb.com on https://www.gittip.com/security.txt. That's where this was reported. I had to ask them for HoF info. PR forthcoming ...

seanlinsley added a commit that referenced this issue Apr 3, 2014

Merge pull request #2243 from gittip/ack
Acknowledge researcher for #2235
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.