[Koha] Can the Koha Mailing List and DMARC become friends?

David Liddle david at liddles.net
Tue Feb 28 03:00:12 NZDT 2023

Greetings, all!

At the encouragement of one of the mailing list administrators, I
would like to present a situation and a proposal to you all.

Normally, I would write from my work account, david.liddle at wycliff.de,
since one of the hats I wear is that of a Koha system administrator.
One of my other hats, however, is that of the email administrator for
our corporate domains. And the latter hat has precedence over the

To help protect our email domains from being used fraudulently, I have
implemented DMARC policies according to current recommendations. You
can read more about the Domain-based Message Authentication, Reporting
& Conformance protocol at https://dmarc.org/. The policies direct that
only messages from authorized sources should be allowed to send mail
from wycliff.de and our other domains; messages from all unauthorized
sources should be quarantined.

With DMARC policies in place, messages that I send from my work
account to the Koha mailing list get quarantined by email providers
that comply with the policies' directives. Why? It happens because the
Koha mailing list spoofs the email address of the original sender. As
a result, there is a significant number of subscribers who did not
receive the messages at all or had to fetch them from quarantine. Some
unknown number will have been marked as spam.

There are well-meaning reasons for this behavior within an honest,
friendly community such as the Koha mailing list. However, email
spoofing is one of the chief means by which fraudsters engage in
phishing, data exfiltration, and ransomware attacks. In my opinion,
the Koha community ought to avoid the practice of email spoofing.
Therefore, I have a proposal to make:

-- The Koha Mailing List is based on the Mailman list system.
According to its release notes, Mailman 2.1 supports what the
developers call "DMARC mitigations".
-- Mailman DMARC Mitigations are described here:
++ I PROPOSE that the mailing list subscribers support the
implementation of DMARC mitigations to the Koha mailing list.
-- The result of the implementation would be that messages submitted
to the list would no longer spoof the sender's address, but rather be
altered so that the messages come from the list's own address,
koha at lists.katipo.co.nz. They *should* be delivered successfully to
all recipients. A reply to the message would return to the list, and a
reply to all could include the original sender's address explicitly.
-- If you agree (or disagree) with this proposal, you'll need to
indicate that in your own clever way, because there's no voting
mechanism in a mailing list.

Thank you for being so kind and forbearing as to read this far! I hope
that you'll give my proposal your earnest consideration.


David Liddle

After-credits scene:

For you intrepid readers, I would like to boldly suggest something
even more daring than changing the list's sending practices. Please
consider changing the platforms of the Koha email and chat discussions
to one such as Discourse:

-- The Discourse software and community seems to have a fair bit in
common with the character and nature of Koha's. You can read more
about the platform at https://www.discourse.org/.
-- Not only is it a web forum, but it can handle email submissions,
replies, notifications, and digests. (And it would always send from a
legitimate address.)
-- It has migration tools that appear able to import archives such as
those used by this list.
-- It has chat integration for real-time messaging that can also be
perused later.
-- It has functions for search, categorization, and groups that a
mailing list does not.

More information about the Koha mailing list