[Koha] Can the Koha Mailing List and DMARC become friends?

[o1bigtenor]

On Mon, Feb 27, 2023 at 8:01 AM David Liddle <david at liddles.net> wrote:
>
> Greetings, all!
>
> At the encouragement of one of the mailing list administrators, I
> would like to present a situation and a proposal to you all.
>
> Normally, I would write from my work account, david.liddle at wycliff.de,
> since one of the hats I wear is that of a Koha system administrator.
> One of my other hats, however, is that of the email administrator for
> our corporate domains. And the latter hat has precedence over the
> former.
>
> To help protect our email domains from being used fraudulently, I have
> implemented DMARC policies according to current recommendations. You
> can read more about the Domain-based Message Authentication, Reporting
> & Conformance protocol at https://dmarc.org/. The policies direct that
> only messages from authorized sources should be allowed to send mail
> from wycliff.de and our other domains; messages from all unauthorized
> sources should be quarantined.
>
> With DMARC policies in place, messages that I send from my work
> account to the Koha mailing list get quarantined by email providers
> that comply with the policies' directives. Why? It happens because the
> Koha mailing list spoofs the email address of the original sender. As
> a result, there is a significant number of subscribers who did not
> receive the messages at all or had to fetch them from quarantine. Some
> unknown number will have been marked as spam.
>
> There are well-meaning reasons for this behavior within an honest,
> friendly community such as the Koha mailing list. However, email
> spoofing is one of the chief means by which fraudsters engage in
> phishing, data exfiltration, and ransomware attacks. In my opinion,
> the Koha community ought to avoid the practice of email spoofing.
> Therefore, I have a proposal to make:
>
> -- The Koha Mailing List is based on the Mailman list system.
> According to its release notes, Mailman 2.1 supports what the
> developers call "DMARC mitigations".
> -- Mailman DMARC Mitigations are described here:
> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
> ++ I PROPOSE that the mailing list subscribers support the
> implementation of DMARC mitigations to the Koha mailing list.
> -- The result of the implementation would be that messages submitted
> to the list would no longer spoof the sender's address, but rather be
> altered so that the messages come from the list's own address,
> koha at lists.katipo.co.nz. They *should* be delivered successfully to
> all recipients. A reply to the message would return to the list, and a
> reply to all could include the original sender's address explicitly.
> -- If you agree (or disagree) with this proposal, you'll need to
> indicate that in your own clever way, because there's no voting
> mechanism in a mailing list.
>
> Thank you for being so kind and forbearing as to read this far! I hope
> that you'll give my proposal your earnest consideration.
>
>
Greetings

Most would consider your proposal as timely or 'contemporary'.

A somewhat easy fix - - - good on you.

Your suggestion to move to another system for connection - - -
absolutely NOT interested.

It would mean logging into one more location and using one
more system to read emails. I would likely unsubscribe at that
point. Keeping up with the very large number of listes that I'm already
on takes far too much of my day and anything that adds to the
time necessary - - - well - - - that function gets lopped off. If I
were only following a few lists - - - not such an issue - - - - I have
a LOT more than that. (Some are already on discourse - - - - its
not at all equivalent in my opinion and is much more difficult to
follow a large number of threads than a simple email list.)

Regards