-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Normal
-
None
-
Affects Version/s: None
-
Component/s: Emails
-
None
While fiddling with my personal domain's email configuration, I've noticed that MusicBrainz appears to be sending some email messages in a way that might be rejected by strict DMARC configurations.
I don't send email via Google (although I still have it listed in SPF/DKIM records for legacy reasons), but I've noticed that the DMARC reports that I'm receiving indicate that a few messages are being sent on behalf of my domain from Google IPs like 209.85.220.69 and 209.85.220.41.
Looking into the reports in more detail, the messages are being sent by MetaBrainz:
[
{
"spf_result": "pass",
"header_from": "erat.org",
"source_ip_version": 4,
"dkim_domain": "metabrainz.org",
"report_id": 1135933657,
"policy_evaluated_disposition": "none",
"source_ip": "209.85.220.69",
"policy_evaluated_spf": "fail",
"policy_evaluated_reason_type": "local_policy",
"top_private_domain_name": "google.com",
"count": 3,
"row_num": 3,
"record_id": 364365,
"host_name": "mail-sor-f69.google.com.",
"spf_domain": "metabrainz.org",
"created_at": "2025-05-05T00:55:05Z",
"dkim_result": "pass",
"policy_evaluated_dkim": "fail",
"policy_evaluated_reason_comment": "arc=pass"
},
{
"spf_result": "pass",
"header_from": "erat.org",
"source_ip_version": 4,
"dkim_domain": "metabrainz.org",
"report_id": 1135933657,
"policy_evaluated_disposition": "none",
"source_ip": "209.85.220.41",
"policy_evaluated_spf": "fail",
"policy_evaluated_reason_type": "local_policy",
"top_private_domain_name": "google.com",
"count": 1,
"row_num": 4,
"record_id": 364365,
"host_name": "mail-sor-f41.google.com.",
"spf_domain": "metabrainz.org",
"created_at": "2025-05-05T00:55:05Z",
"dkim_result": "pass",
"policy_evaluated_dkim": "fail",
"policy_evaluated_reason_comment": "arc=pass"
}
]
I'm no DMARC expert, but I think that this is saying that SPF and DKIM checks passed, but DMARC alignment failed due to the RFC5322.From (From: header) domain being erat.org but the RFC5321.MailFrom (envelope sender, Return-Path) domain and DKIM signature being metabrainz.org.
This seems similar to MBS-8401 (fixed in 2015 by https://bitbucket.org/metabrainz/musicbrainz-server/pull-requests/1588/overview), but I don't see any places in lib/MusicBrainz/Server/Email.pm where user email addresses would still be used as From: header addresses.
The above DMARC report is from Google and describes messages sent to other people, not to me, so I don't think there's any for me to figure out what the messages were. Are there logs on the MeB side where you can see which messages might've been sent on behalf of my account on 2025-05-05 (UTC, I assume)?