[wp-trac] [WordPress Trac] #60420: Default wordpress at site.com sender address can be problematic

[WordPress Trac]

#60420: Default wordpress at site.com sender address can be problematic
-----------------------------+------------------------------
 Reporter:  thinlinecz       |       Owner:  (none)
     Type:  feature request  |      Status:  reopened
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Mail             |     Version:  1.5.1.2
 Severity:  normal           |  Resolution:
 Keywords:  close            |     Focuses:
-----------------------------+------------------------------

Comment (by SirLouen):

 Replying to [comment:33 michael.orlitzky]:
 > This could be OK if the docs are accurate, but the suggestions I've seen
 so far are testing and suggesting the wrong things. If
 `wordpress@$SERVER_NAME` exists and if you can send mail to it, that means
 nothing. And conversely, if you cannot deliver mail to
 `wordpress@$SERVER_NAME`, that also means nothing.

 I think we are mixing ideas. I know I'm not going to convince you because
 you want the change. But at least I want to let you understand why your
 the current state is not so terrible as you think.

 1. The basic testing for the validation that @knutsp was suggesting is
 only useful for the `Reply-To` part. Making users aware through a check
 that the Reply-To is, by default, configured to `wordpress at hostname`. It
 is not a matter of email authentication; it's just a sanity check that is
 not even reliable but at least could be a heads-up (and not the sole
 check; again, refer to #62129 for more info).

 2. About the DKIM part you have mentioned multiple times, you have to be
 aware that DKIM is simply an integrity authentication check. It only
 checks if the content has not been made up and is coming from who says to
 be the trusted source. This is 100% mail-server-side, nothing to do with
 WP.

 3. About the SPF, here is the tricky part. You could perfectly have the
 SPF with a subdomain or even your domain configured to the IP of the
 server. The HIPAA guy's or whoever you are working with might whitelist in
 their SPF record for the IP of your server, and things will go fine. The
 local part (`wordpress`) is completely irrelevant when we talk about the
 SPF check. For the DMARC check, you only need to make sure that the
 `From:` part is the same as the delivery server hostname. And since WP is
 taking by default the hostname of the site, it will always match (unless
 certain weird scenarios with certain mail servers, but this is another
 story).

 4. Finally, let's say that they don't want to configure the SPF record,
 and you have to relay through another domain. Let's be clear: if you have
 to do this, you are a pro.

 > I'm happy patching WP, but no, I don't share your optimism that normal
 users

 You are not a “normal user”. Here you fall into the category of “pro
 users”, and pro users are directed to the Administration Handbook, and
 it's not crazy that they are instructed on the use of simple hooks.

 And I see you overly worried about such "normal users", but the average
 Joe is not going to have any troubles with the current state of the art as
 long as they configure their server correctly to present their DKIM keys
 accordingly and have their DNS records set-up orderly for SPF, DMARC, and
 DKIM. Are they using email from both O365 and their WordPress site? Just
 configure their SPF whitelisting both addresses. Do they need to correctly
 DKIM sign their sent emails? Configure two DKIM selectors in the DNS, one
 per server. Basic mail administration.

 Do they need to configure another domain or subdomain for their WP server?
 Again: You are a Pro. You are not a "basic user." I have to leave this
 clear.

 And for the 80% of the SMB users who are simply dependent on their
 cPanel/Plesk/DirectAdmin/Hosting panel just hang with a domain that
 happens to be managed by the same people that provide them email, backups,
 email marketing, and maybe an SEO package. These guys won't care more
 about anything but the fact that they receive the replies to the sender's
 email in an inbox they control and they don't lose communication with
 their clients/partners/subscribers/friends.

 From here I don't really know where the conversation could lead, but keep
 moving in circles. I can explain if there are more doubts, or if there are
 more edge-case scenarios, but for this to be useful, there should be more
 proposals apart from the ones commented (health check, docs, a possible
 canonical plugin) and rejected (new fields on the admin interface).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60420#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform