4458: Emails from rbcommons are always ending up caught in spam filters due to DMARC


What version are you running?


What's the URL of the page containing the problem?

Its not in a page, its in your service that sends emails after any update to an rbcommons issue.

What steps will reproduce the problem?

  1. Work for a company that has turend on DMARC support
  2. Edit a review in rbcomomons and publish it
  3. The emails sent from rbcommons to pants-reviews@googlegroups.com get held up as spam

What is the expected output? What do you see instead?

I expect that updates to isses in rbcommons get forwarded on to the googlegroups mailing list, but they don't.

What operating system are you using? What browser?

Please provide any additional information below.

My understanding is that the problem is that these emails look like spam because they say they are 'From: zundel@squareup.com' but they aren't originating from square's email server.

This issue now impacts every email sent from rbcommons that tries to impersonate a square or twitter email address.

Essentially, these emails shouldn't be impersonating another user - you can use Reply-To: to say where followups should go, but the From: should be from something like noreply@rbcommons.com

This is from our email admin at Square:

DMARC enables the protection of email sending domains from from address impersonation. DMARC builds on existing technologies SPF and DKIM by publishing a policy that instructs Email Service Providers (ESPs) what to do if email authentication requirements are not met. This allows entities to control their email sending domains reputations and protect Square, our employees, partners, merchants, and customers from spoofed email of all kinds.

DMARC also stops 3rd party services from sending email on our behalf without our express permission to do so. This includes forums and other communities that commonly spoof the from address when sending transactional emails generated by user interaction. As DMARC becomes adopted more broadly we will start to see communities protecting their email using DMARC and sending transactional emails from an address that looks like noreply@exampleforumcommunity.com or user@exampleforumcommunity.com so everyone who interacts with that community knows the email being sent by that community is an authenticated email and not a spoofed email sent by phishers. This also helps cut down tremendously on spam scanning resources as authenticating email is far cheaper than the compute cycles used for heuristic based spam scanning.

For details on any of these technologies please refer to their websites.


If you give me an email addres to send it to you, I will forward this thread to you.

noreply-spamdigest via Pants Reviews
Aug 5

to Spam
This message is being sent to you because you are a moderator of the group pants-reviews.

The following suspicious messages were sent to your group, but are being held in your moderation queue because they are classified as likely spam messages.

If you take no action, all the messages below will be discarded automatically as spam.

However, if you see any messages that are not spam below, you may approve them individually by going to:


Please do not mark this notification as spam; this is a service for group moderators. If you do not wish to receive these notifications in the future, you may change your preferences by going to:


------- 1 of 1 -------
Subject: Re: Review Request 4139: Prepare for the 1.2.0-dev2 release.
From: Eric Ayers zundel@squareup.com
Date: Aug 05 04:21PM

This is an automatically generated e-mail. To reply, visit:

Approve: http://groups.google.com/group/pants-reviews/pendmsg?view=full&pending_id=4287232110848054809

For more information about this message, please visit:

John Sirois
Aug 7

to me, Benjy
I'm not finding the language, but my guess is squareup now has twitter issues - the tweeps all had to switch to personal gmail.com or other accounts long ago.

Benjy Weinberger
Aug 7

to John, me
Sigh, thanks Google!

John Sirois
Aug 7

to Benjy, me
If you have access to your DNS config repo history or know the right folks, my last investigation at Twitter pretty well narrowed it down to these records:
$ dig +short txt squareup.com
"v=spf1 include:squareup.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

They have something to do with domain verification for sent mail, and the rbcommons sender trips up alarm bells in the scheme.

John Sirois
Aug 7

to Benjy, me
Basically, you may or may not be able to get someone to change the spf1 rules to include rbcommons as a sender if they think this is sane - they probably won't. The 1st include is easy to follow and looks like it starts with "no one is valid" as the basis:
$ dig +short txt squareup.com._nspf.vali.email
"v=spf1 -all"

I'm less clear on how the substitutions work in the second include, which would be the important one fwict for adding in allowed domains.

#1 chipx86

Hi Eric,

Can you reach out to us on our support address for RBCommons (support@beanbaginc.com)? This bug tracker is for the open source products. We can work with you more on there.

#2 chipx86
  • -New
  • +djblets:Release-0.9.x
  • +Component:EMail
  • +chipx86
#3 chipx86

Fixed on release-2.5.x (0d0fde26f17bc6b0f4abac5dc1acbefdae25a5a0)

  • -PendingReview