emails from this roundup instance fail SPF checks:

emails have an envelope-from of <roundup-admin@python.org>, but the SPF policy for 
python.org does not allow emails to be sent from that server:

  H=bugs.nyc1.psf.io [167.71.181.142] Warning: SPF softfail

SPF record currently shows:

  v=spf1 mx a:mail.wooz.org ip4:188.166.95.178/32 ip6:2a03:b0c0:2:d0::71:1 include:stspg-
customer.com include:_spf.google.com include:mailgun.org ~all

Hi Christof:

I opened https://github.com/python/psf-salt/issues/546 and pinged EE Durbin on IRC.

PSF doesn't use roundup anymore but they are still nice enough to host our tracker.
I don't know if this host sends other email, so this might be intentional.

Maybe instead of changing the SPF record for python.org, the envelope from for these emails 
should be changed to something @roundup-tracker.org (and changing the SPF record for roundup-
tracker)?

Hi Christof:

[changing envelope address away from psf.org to roundup-tracker.org]

That's possible I think. But we are trying to not be a burden on them.
They have a small team and it's overworked. However, my guess is that the
psf maintainers would like less spam from the roundup tracker. Also they
would not miss my occasionally asking them for an error email.

Currently roundup-tracker.org's MX point to bugs.python.org. So it would
be a bit involved as roundup has no smtp assets of it's own, so we would
still need to piggyback on PSF. They maintain their systems via salt and
I would need to figure out how to inject a
roundup-tracker-admin@issues.roundup-tracker.org or some such alias, but
that might also need their help.

What's interesting is roundup-tracker.org's spf is:

   ip4:66.96.140.128.0/18

which is some net range that seems vaguely familiar, but I can't place it.
I wonder if it was the old PSF psf.upfronthosting.co.za infrastructure
IP range. At the very least, it should be changed to some address we
currently have use of.

We've updated the email configuration to send via our mailgun account.

I tested each instance by issuing a password reset, and see SPF and DKIM both being PASS.

This should be resolved.

Hm, password reset emails are fine, but the emails from this message came through as a DKIM fail... looking closer.

Reverted to using the previous configuration for now.

Seems like a good option is adding a roundup-tracker.org configuration to our mailgun account, which would just require a couple DNS 
entries to be added on the zone:

smtp._domainkey.roundup-tracker.org IN TXT k=rsa; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKRxsc7RPZD6wH83707zeLF21mtQWjxKc9Bb8DhqWBQ4U3jQEf/xiMK3pLl
gcMhNspeWywTgwTv80xczsFyqiU6aULQZZSemY3abRsPbic7XwTXku3U3pUp8l6FGgC3i+NCIHNpE+p53maziKfAB7kWb0VgjYbbpsm+1
sWcSEilYWgAccI9HyZmsWirl5ipA3mPDBmheLdv8v2xshepWN4xLplPd4aoAMpDjYvmtd/UEnlnj73zJUyfJNxyCt9P+Xz7eKBgJ7Z1KHRQF
3tON3HgYHbhr5Ddq/bT8GpjMPVMu/7m7WmKxgLVJB6FntI06wRuXsgBSsMxlvOLZ1r0vHwIDAQAB
roundup-tracker.org IN TXTv=spf1 include:mailgun.org ~all
email.roundup-tracker.org IN CNAME mailgun.org

Then we could configure all emails from the instance to send on the roundup-tracker.org domain only (remove all references to 
python.org), leaving MX records as is to allow the email gateway to continue working.

Hi Ee:

I'll work on getting those 3 dns records changed/added.

-- rouilj

Ee:

Just a couple of questions in case my DNS admin has them:

  1) is there a recommended TTL on the dkim record? I think our default is 3600
  2) I have seen DKIM records that have a left most DNS name that is related to the
     email provider. I think this to allow multiple DKIM signed providers
     A._domainkey, B._domainkey .... We have no plans on changing to multiple
     providers, but I just wanted to make sure that a generic "smtp" was the correct
     value since  smtp._domainkey.python.org doesn't resolve as a TXT record.

Also Thomas Waldman, in case you are reading this, please remove the existing
SPF record with a:mail.wooz.org in it.

Thanks.

1) 3600 is fine
2) That's the record generated by mailgun by default. But good catch. Use below instead:

mailgun._domainkey.roundup-tracker.org IN TXT k=rsa; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+atQsfTUo23u2T8mDwVe6oM42ZTKM0gmmM7dzKJUUdvSnBaXd+Xr
lEc69wYDWplbrEtVFmsCZ36l+JRIbEGGnzu+jpFr9aSOoR9+khptcHFUyaE0U8UZtqEnYs0UPLnGjxIgmEH+t1lIgSlJMAbMrNTRNW1y
QPx6SIdPR5XaXJaACEzrbPv0ZD73U1f66Fs/MPVHKKeW6WX0bh9sxBZP0/XQ3Qnw2+adEJh33SXf8zMlKT3Fvevv9txxdRd3q3X+u
m/9eJnrCf4OqQseUlzrOi6SQvG3EaVEW/3l9Q7/8RpU116OFcEtIooRZ2ktCmWuft3qOakq/neMzK2Lz15ywIDAQAB

> 2) That's the record generated by mailgun by default. But good catch. Use below instead:

I still have my moments, that's what 20+ years as a sysadmin will do.

I have forwarded this on. Thanks.

Ee, I am AFK all day tomorrow, but the DNS record info is done.

$ delv -i roundup-tracker.org TXT
roundup-tracker.org.    370     IN      TXT     "v=spf1 include:mailgun.org ~all"

$ delv -i email.roundup-tracker.org
email.roundup-tracker.org. 326  IN      CNAME   mailgun.org.
mailgun.org.            299     IN      A       34.102.239.211

$  delv -i mailgun._domainkey.roundup-tracker.org TXT
mailgun._domainkey.roundup-tracker.org. 332 IN TXT 
"k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt+atQsfTUo23u2T8mDwVe6oM42ZTKM0gmmM7d
zKJUUdvSnBaXd+XrlEc69wYDWplbrEtVFmsCZ36l+JRIbEGGnzu+jpFr9aSOoR9+khptcHFUyaE0U8UZtqEnYs0UPL
nGjxIgmEH+t1lIgSlJMAbMrNTRNW1yQPx6SIdPR5XaXJaACEzrbPv0ZD73U1f66Fs/MPVHKKeW6W" 
"X0bh9sxBZP0/XQ3Qnw2+adEJh33SXf8zMlKT3Fvevv9txxdRd3q3X+um/9eJnrCf4OqQseUlzrOi6SQvG4EaVEW/3
l9Q7/8RpU116OFcEtIooRZ2ktCmWuft3qOakq/neMzK2Lz15ywIDAQAB"

I'll have Thomas update these with a TTL of 3600. It looks like it is at 600 currently.

I see the records, but unfortunately mailgun refuses to validate for sending due to the silliest little difference (missing white space 
after the semicolon):

-k=rsa; p=MIIBIjANBg...
+k=rsa;p=MIIBIjANBg...

Once that's cleared up we can proceed.