Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DMARC to SES service #3300

Closed
6 tasks done
mogul opened this issue Jun 24, 2021 · 3 comments
Closed
6 tasks done

Add DMARC to SES service #3300

mogul opened this issue Jun 24, 2021 · 3 comments
Assignees
@jbrown-xentity
Milestone
Sprint 20211028

Comments

@mogul
Copy link
Contributor

mogul commented Jun 24, 2021
edited by jbrown-xentity
Loading

User Story

In order to improve handling and reporting of email delivery failures, the data.gov team wants brokered SES services to include DMARC records.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN I have have provisioned an SES service instance
    AND I did NOT provide a domain configuration during provisioning
    AND I provided a reporting address during provisioning
    WHEN I check the DNS for the associated domain
    THEN I find a valid DMARC record
    AND the DMARC record contains the reporting address
  • GIVEN I have have provisioned an SES service instance
    AND I DID provide a domain configuration during provisioning
    AND I provided a reporting address during provisioning
    WHEN I check the credentials for a service binding
    THEN I see content for a DMARC record
    AND the DMARC record contains the reporting address
    AND the instructions tell me to create that record in my DNS system

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]
How DMARC works: https://dmarc.org/overview/
Truss' example: https://github.com/trussworks/terraform-aws-ses-domain/blob/2df07ab2452d65f13701e984cb3ad0caeb315aee/main.tf#L110-L119

Security Considerations (required)

None... This builds on earlier work to add DKIM and SPF, which increase security. This change will only improve reporting/feedback.

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]
@mogul mogul self-assigned this Jul 8, 2021
@mogul mogul removed their assignment Oct 7, 2021
@mogul
Copy link
Contributor Author

mogul commented Oct 18, 2021

We need some kind of test to ensure we have DMARC set up correctly. Here are some options:

@jbrown-xentity
Copy link
Contributor

Looking at testing options, I like setting up https://domainaware.github.io/checkdmarc/ in github actions on a cron, to be able to check for drift (and would cover spf)... Thoughts @mogul? All of these tests only work on a deployed system, none of these would actually check our code before it is deployed...

@nickumia-reisys
Copy link
Contributor

Not sure the best way to combine these two conversations, but related.

@jbrown-xentity jbrown-xentity self-assigned this Oct 25, 2021
@jbrown-xentity jbrown-xentity mentioned this issue Oct 26, 2021
Merged
@mogul mogul added this to the Sprint 20211028 milestone Oct 29, 2021
@mogul mogul closed this as completed Oct 29, 2021
@mogul mogul moved this to Done in data.gov team board Dec 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbrown-xentity jbrown-xentity

Labels
None yet
Projects
data.gov team board
Archived in project
Milestone
Sprint 20211028
Development

No branches or pull requests
3 participants
@mogul @jbrown-xentity @nickumia-reisys