Configuring authentication checks on incoming email

As of this commit, Discourse now supports parsing the Authentication-Results header of incoming emails. This header contains information about whether we can trust that an email is actually coming from the person who claims to be sending it.

At the moment, Discourse just parses the DMARC results of a message. This header also includes SPF and DKIM records (which are required for DMARC to function). These acronyms should be familiar to you if you’ve set up outgoing email on your Discourse instance, as they’re required to ensure proper delivery of your email notifications. We’re using these same methods that external services use to ensure that email claiming to be from your Discourse instance actually is from your Discourse instance, to ensure that email claiming to be from external services is actually coming from those external services.

:warning: Configuring the authserv-id :warning:

For this all to function correctly you need to set the authserv-id of your incoming email processor in the email_in_authserv_id setting.

If your service isn’t in the “well known values” list below, then you’ll have to do some manual parsing of incoming email to work out the correct setting. The best way to do this is to send an email to your Discourse instance yourself, since you can then trust that it was really you who sent it, and you haven’t forged any of the email headers.

Open the raw email in Discourse, then search for the line starting Authentication-Results:, the domain you see between the : and ; is the authserv-id.

As an example:

Authentication-Results: amazonses.com;

Then copy this value (without the ;) into your email_in_authserv_id setting, and you’re good to go!

Well known values:

  • Gmail/G Suite: mx.google.com
  • Amazon SES: amazonses.com
9 Likes