[Security] kubernetes.io missing DMARC policy - email spoofing vulnerability

[dibishks]

Summary

The kubernetes.io domain lacks DMARC email authentication, allowing attackers to send emails that appear to come from @kubernetes.io addresses.

Impact

• Attackers can impersonate Kubernetes project emails
• No authentication enforcement for emails from kubernetes.io
• Phishing risk to the Kubernetes community
• Email deliverability may be impacted

Current Configuration

SPF: ✅ Present (soft fail)

v=spf1 include:_spf.google.com mail.kubernetes.io ~all

DMARC: ❌ Not configured

_dmarc.kubernetes.io - Non-existent domain

DKIM: ❌ Not found on common selectors

Risk Level: 🔴 HIGH

Verification

Command line:

nslookup -type=TXT _dmarc.kubernetes.io
# Returns: Non-existent domain

Online: https://mxtoolbox.com/dmarc.aspx?domain=kubernetes.io

Recommended Fix

Add a DMARC TXT record at _dmarc.kubernetes.io:

Phase 1 - Monitoring (immediate):

v=DMARC1; p=none; rua=mailto:dmarc-reports@kubernetes.io; fo=1

Phase 2 - Enforcement (after monitoring 2-4 weeks):

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@kubernetes.io; pct=100; fo=1

This takes ~15-30 minutes to implement and significantly reduces phishing risk to the community.

Full Report

I've attached a complete security scan report. Happy to provide implementation guidance if helpful.

References

• DMARC Overview: https://dmarc.org/
• Google's DMARC Guide: https://support.google.com/a/answer/2466580
• MXToolbox DMARC Check: https://mxtoolbox.com/dmarc.aspx

---

kubernetes-io-security-report.txt.txt

[ameukam]

@kubernetes/sig-k8s-infra-leads we should look into this.

[upodroid]

Yes, I'll meet with someone from @kubernetes/steering-committee to get both DKIM and DMARC setup correctly.

https://support.google.com/a/answer/2466580?hl=en
https://support.google.com/a/answer/174124?hl=en

[BenTheElder]

/sig k8s-infra
/triage accepted
/kind bug

[BenTheElder]

FYI @kubernetes/security-response-committee