Configure authentication checks on incoming email

As of this commit, Discourse now supports parsing the Authentication-Results header of incoming emails. This header contains information about whether we can trust that an email is actually coming from the person who claims to be sending it.

At the moment, Discourse just parses the DMARC results of a message. This header also includes SPF and DKIM records (which are required for DMARC to function). These acronyms should be familiar to you if you’ve set up outgoing email on your Discourse instance, as they’re required to ensure proper delivery of your email notifications. We’re using these same methods that external services use to ensure that email claiming to be from your Discourse instance actually is from your Discourse instance, to ensure that email claiming to be from external services is actually coming from those external services.

:warning: Configuring the authserv-id :warning:

For this all to function correctly you need to set the authserv-id of your incoming email processor in the email_in_authserv_id setting.

If your service isn’t in the “well known values” list below, then you’ll have to do some manual parsing of incoming email to work out the correct setting. The best way to do this is to send an email to your Discourse instance yourself, since you can then trust that it was really you who sent it, and you haven’t forged any of the email headers.

Open the raw email in Discourse, then search for the line starting Authentication-Results:, the domain you see between the : and ; is the authserv-id.

As an example:


Then copy this value (without the ;) into your email_in_authserv_id setting, and you’re good to go!

Well known values:

If you use one of these services, copy the value into your email_in_authserv_id setting to enable authentication checks on incoming email:

  • Gmail/G Suite:
  • Amazon SES:

Open the raw email in Discourse, then…

Could someone tell me how I can do this please?

Settings>Email>Received only allows to see the subject of the mail after sending the mail to as in this thread.

Go to Settings>Email>Rejected. Clicking on the error message gives everything.

1 Like

Are these instructions still accurate? I have no Authentication-Results: line in the headers of test (rejected) incoming emails. All my SPF/DKIM/DMARC settings seem to check out elsewhere, so I’m not sure if I’m missing something.