E-mails from the forum system are marked as possibly spoofed

usessuse · April 4, 2025, 7:05pm

When I receive e-mails from the forum system, my e-mail provider warns me that they might be spoofed. Are you guys getting similar warnings?

It appears that forums.opensuse.org doesn’t have an SPF record set up in its DNS. Perhaps that’s got something to do with it. As I understand it, this DNS record tells e-mail receivers which hosts are authorized to send e-mails on forums.opensuse.org’s behalf.

hendersj · April 4, 2025, 7:26pm

I haven’t noticed this myself, but I’ll raise this with the Heroes team. Thanks for the report.

hendersj · April 4, 2025, 10:38pm

Checking a message I’ve received from the forums, I show an SPF Pass:

What mail client/provider are you using?

usessuse · April 5, 2025, 7:14am

I’m on Proton Mail. The error I see is described here. According to the e-mail headers SPF passed, so we can indeed rule out my original hypothesis. Any chance it’s related to DMARC?

Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit
    rsa-sha256 signature) header.d=cloudflare-email.net header.a=rsa-sha256
Authentication-Results: mail.protonmail.ch; dmarc=fail (p=none dis=none)
 header.from=forums.opensuse.org
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=[redacted]
Authentication-Results: mail.protonmail.ch; arc=fail smtp.remote-ip=[redacted]
Authentication-Results: mail.protonmail.ch; dkim=pass (2048-bit key)

Here are the same headers for an Instagram e-mail that didn’t trigger the error:

Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit
    rsa-sha256 signature) header.d=cloudflare-email.net
    header.a=rsa-sha256; dkim=pass (Good 1024 bit rsa-sha256 signature)
    header.d=mail.instagram.com header.a=rsa-sha256
Authentication-Results: mail.protonmail.ch; dmarc=pass (p=reject dis=none)
 header.from=mail.instagram.com
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=[redacted]
Authentication-Results: mail.protonmail.ch; arc=fail smtp.remote-ip=[redacted]
Authentication-Results: mail.protonmail.ch; dkim=pass (2048-bit key)
 header.d=cloudflare-email.net header.i=@cloudflare-email.net header.b="[redacted]";
 dkim=pass (1024-bit key) header.d=mail.instagram.com header.i=@mail.instagram.com
 header.b="[redacted]"

usessuse · April 5, 2025, 1:04pm

Further analyzing the forum e-mail:

The Received header states the e-mail originated from mx2.opensuse.org (2a07:de40:b27e:1209::12).
The SPF record on _spf.opensuse.org indicates the following list of allowed senders: v=spf1 ip4:91.193.113.64/27 ip4:143.186.213.0/24 ip4:147.2.0.0/16 ip4:149.44.0.0/16 ip6:2a01:138:a004::/64 ip6:2a07:de40:401::/64 ip6:2a07:de40:b27e:1204::/64 a:smtp-out1.suse.de a:smtp-out2.suse.de a:mx1.infra.opensuse.org a:mx2.infra.opensuse.org mx:ope" "nsuse.org ?all
While the 2a07:de40:b27e:1204::/64 range is close to the IPv6 address that sent the e-mail, it seems to be out of range.

I also received an e-mail from the Build Service today that also failed DMARC. It originated from smtp-out1.suse.de (195.135.223.130). This IP too seems to be out of range for the above SPF allowlist.

hendersj · April 5, 2025, 3:55pm

I’m looking at the e-mail notification for this post now, which passed both dmarc and spf.

Definitely weird, so yeah, I’ll point the heroes at this thread to take a look and see what’s up. Thanks for the additional info.

crameleon · April 5, 2025, 7:00pm

Whilst I don’t have an answer yet, the mentioned source IP addresses are behind the domains in the a: fields in the SPF record, so should be permitted. It should also be mentioned that with ?all we are (unfortunately by design) not enforcing SPF.