Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SPF to SES service #3301

Closed
5 tasks done
mogul opened this issue Jun 24, 2021 · 3 comments
Closed
5 tasks done

Add SPF to SES service #3301

mogul opened this issue Jun 24, 2021 · 3 comments
Assignees
@nickumia-reisys
Labels
component/ssb Feature
Milestone
Sprint 20211028

Comments

@mogul
Copy link
Contributor

mogul commented Jun 24, 2021
edited by nickumia-reisys
Loading

User Story

In order to ensure mail sent via provisioned SES services is accepted by receivers, the SSB team wants brokered SES services to include Sender Policy Framework (SPF) records for AWS.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN I have have provisioned an SES service instance
    AND I did NOT provide a domain configuration during provisioning
    WHEN I check the DNS for the associated domain
    THEN I find a valid SPF record for AWS
  • GIVEN I have have provisioned an SES service instance
    AND I DID provide a domain configuration during provisioning
    WHEN I check the credentials for a service binding
    THEN I see content for a SPF record for AWS
    AND the instructions tell me to create that record in my DNS system

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]
SPF: https://dmarcian.com/what-is-spf/
Truss' example: https://github.com/trussworks/terraform-aws-ses-domain/blob/2df07ab2452d65f13701e984cb3ad0caeb315aee/main.tf#L66-L85

Security Considerations (required)

This change will prevent bad actors from sending mail on behalf of one of our SES services without going through AWS and having it blindly accepted by SPF-conversant hosts. It will also ensure deliverability of legitimate mail.

Sketch
@mogul mogul self-assigned this Jul 8, 2021
@mogul mogul removed their assignment Oct 7, 2021
@mogul
Copy link
Contributor Author

mogul commented Oct 18, 2021

We need some kind of test to ensure we have SPF set up correctly. Here are some options:

@nickumia-reisys
Copy link
Contributor

nickumia-reisys commented Oct 25, 2021
edited
Loading

Can we create a fake SMTP server and test sending mail internally? https://www.tothenew.com/blog/setting-up-sendmail-inside-your-docker-container/

This was referenced Oct 25, 2021
Closed
Merged
@nickumia-reisys
Copy link
Contributor

All of the automated tests pretty much just check if there is a record that looks like SPF and returns true if that's met, so I implemented a version of that.

@mogul mogul added this to the Sprint 20211028 milestone Oct 29, 2021
@mogul mogul closed this as completed Oct 29, 2021
@mogul mogul moved this to Done in data.gov team board Dec 4, 2021
@nickumia-reisys nickumia-reisys moved this from ✔ Done to 🗄 Closed in data.gov team board Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nickumia-reisys nickumia-reisys

Labels
component/ssb Feature
Projects
data.gov team board
Archived in project
Milestone
Sprint 20211028
Development

No branches or pull requests
2 participants
@mogul @nickumia-reisys