-
Notifications
You must be signed in to change notification settings - Fork 107
Data.gov uses smtp.gsa.gov to send all email within the BSP environment. BOD 18-01 governs some of our configuration. This includes SPF and DMARC.
SPF must be configured as per BOD 18-01. It authorizes smtp.gsa.gov (and its SPF record) as authorized senders for the Data.gov domain. That means that any email we send must use the From address of @data.gov. Mail From localhost or the BSP hostname will be rejected. We have some sender rewrite rules in the postfix config to rewrite sender addresses to @data.gov in some cases.
$ dig +noall +answer TXT data.gov | grep v=spf1
data.gov. 10799 IN TXT "v=spf1 ip4:34.193.244.109 include:gsa.gov ~all"
To update the record, you must open a DNS ticket with GSA.
DMARC must be set as per BOD 18-01. It requires a policy of "reject" if an email fails.
$ dig +noall +answer TXT _dmarc.data.gov
_dmarc.data.gov. 10799 IN TXT "v=DMARC1; p=reject; fo=1; pct=100; ri=86400; rua=mailto:gsalogin@rua.agari.com,mailto:dmarcreports@gsa.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:gsalogin@ruf.agari.com,mailto:dmarcfailures@gsa.gov"
To update the record, you must open a DNS ticket with GSA.
We use Agari provided through TTS (see #admins-dmarc) which processes DMARC aggregate and forensic reports. See @adborden for access.
DKIM is not implemented.
Note: since GSA also does not implement DKIM, I suspect smtp.gsa.gov would not be able to support DKIM for data.gov.