TPA-RFC-15: plan regarding mail standards (DKIM,SPF, DMARC)

i'm thinking of making a formal TPA-RFC to adopt SPF, DKIM and DMARC formally, and set a deployment plan on how to do this effectively. we can't, for example, deploy DKIM and SPF on @torproject.org without first providing a way for people to submit email through there, nor can we deploy DKIM on lists.tpo without first fixing DMARC handling on outgoing email.

this needs more work than what we currently have laid out in the roadmap.

this will probably require a TPA-RFC process (because it's a fairly radical change), but so far I'm just brainstorming here.

known issues:

• Yahoo, state.gov, Gmail, Gmail again (from the roadmap item)
• Civi lacking entries (tpo/web/donate-static#15)
• complaints about lists.tpo lacking SPF/DKIM (#40347 (closed))
• DMARC and lists.tpo (#19914 (closed))

interlocking issues:

• the submission mail server (#30608 (closed)) requires upgrades and changes to ud-ldap #40062 and #40182 (closed)
• general SPF deployment requires the submission mail server
• DKIM on lists.tpo (#40347 (closed)) requires DMARC workarounds (#40347 (closed))
• general DKIM deployment requires testing (e.g. on tpo/web/donate-static#15) and integration with DNS (how?)
• general DKIM deployment requires the submission mail server as well
• SPF and DKIM require DMARC to properly function
• DMARC requires a monitoring system to be effectively enabled (otherwise you might break legitimate emails going out and never know about it)
• in any case, we need end-to-end deliverability tests to see if measures we take have an impact, see #40494

The current situation is:

• no DKIM deployment, except bridgedb which verifies incoming DKIM signatures (but does nothing with it, actually)
• no SPF deployment, except on lists.tpo and crm.tpo
• no DMARC deployment or reporting
• no end-to-end deliverability testing, other than CiviCRM and Mailman internal monitoring systems and word-of-mouth
• most servers relay their mails through eugeni except bridges, gettor, GitLab, db.tpo (alberti), RT, submit-01 and CiviCRM (according to the profile::postfix Puppet class setting, which is also enabled by the profile::dovecot::private)
• we run restricted or "private" Dovecot servers (restricted to a single user) on only two servers (GitLab, CiviCRM), and such a configuration could be used to receive DMARC reports, for example... we also run an authentication-only (no mailbox or IMAP) dovecot for SASL authentication in postfix (on submit-01)

the task list here is:

• prepare a draft RFC to discuss inside TPA (done: TPA-RFC-15: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-15-email-services)
• complete the RFC after review (done, all TODO checked)
• review this tickets for comments
• do a final edit
• send to tor-internal for discussion
• make slides for the all hands presentation
• do a trial run of the presentation
• present a summary at the all hands
• another round of reviews after comments
• followup on the decision after this (probably adding and sorting issues in %improve mail services )