[Koha-bugs] [Bug 34927] Adding DMARC compatibility to mailing lists

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34927

--- Comment #9 from Thomas Dukleth <td-koha-bugs at agogme.com> ---
By February 2024, fixing DKIM re-signing may be needed for
lists.koha-community.org and more for the Koha genral mailing list when Gmail
and Yahoo mail [with AOL] may start blocking messages for not being DKIM
re-signed when sent from the mailing lists.  It is uncertain whether Gmail and
Yahoo mail will continue to give a false pass for messages using the original
author's DKIM signature which does not match the mailing list sending server,
nor the From header with DMARC support enabled.  Gmail, Yahoo mail, AOL mail,
Microsoft [Exchange and various names] etc. have all rejected messages for bad
DKIM signature from mailing lists during past periods of extra DKIM strictness.

I have given precise technical details of changes which may be made to resolve
the issue of OpenDKIM signing with people at BibLibre responsible for
lists.koha.org .  I have also communicated with Rachael Rachel
Hamilton-Williams about adding DMARC support for the Koha general mailing list.
 Rachel informed me that she would like to hand over hosting of the Koha
mailing list for more attentive hosting than her partner is able to provide. 

At the end of last week, a radio broadcast brought my attention to changes
coming in February 2024 which affect everyone in some manner.  For large volume
senders there additional requirements, beyond those affecting everyone, which
might affect people subscribing to the Koha general mailing list if the number
of mailing list subscribers is enough and enough people route mail through the
popular choice of Gmail even on mobile despite having some other apparent
domain of some subscriber wherever that may be hosted initially. 

Details about more stringent SPF, DKIM, DMARC, ARC, and one-click unsubscribe
link requirements are available from Google.  Mailing lists may be able to
substitute DMARC support for lack of ARC support when rewriting the From header
and thus re-originating and not merely forwarding messages but adding ARC is
best addressed second.  "Email sender guidelines : Requirements for all
senders" -
https://support.google.com/mail/answer/81126#zippy=%2Crequirements-for-all-senders
.  Another part of the same document has the requirements which may affect the
Koha general mailing list "Requirements for sending 5,000 or more messages per
day" -
https://support.google.com/mail/answer/81126#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day
.  The Yahoo guide which I found has fewer details and does not refer to the
coming February 2024 policy change: "Sender Best Practices" -
https://senders.yahooinc.com/best-practices/ .  There is no shortage of
secondary sources such as from the support provider Proofpoint, "Google and
Yahoo Set a Short Timeline to Meet New DMARC Policy & Setup Requirements. Are
You Ready?" -
https://www.proofpoint.com/us/blog/email-and-cloud-threats/google-and-yahoo-set-new-email-authentication-requirements
.

The general Koha mailing list may also have enough subscribers for which the
most stringent requirements will be set.

Sidenote on ARC Support.

ARC is intended for authenticating the email chain when forwarding messages
which is the basic function of mailing lists.  Adding DMARC support should make
the issue of ARC support for acceptable authentication for mailing lists might
be moot because the mailing list is more clearly shown as re-originating email
and not merely forwarding.  However, the announcements for February 2024 do not
state that case with explicit clarity and Gmail adds ARC headers to all mail on
their system and people at Google may presume that everyone else should to
especially when messages may retain headers showing that the message has been
forwarded over the mailing list despite having been re-originated from mailing
list with DMARC authentication.

While Mailman 3 has functionality for ARC support which was added essentially
experimentally a few years ago, the proper place for ARC support is in the MTA
not in the mailing list software.  When using ARC via Mailman 3 the mail
envelope is sealed before DKIM re-signing which is the wrong order and has
caused ARC authentication failure.

OpenARC, like OpenDKIM, functions in the MTA for Postfix or Sendmail,
https://github.com/trusteddomainproject/OpenARC .  Mailing lists at
https://openarc.org/ .  OpenARC is not as fully developed as OpenDKIM and
support for some nice things such as multiple sending domains on the system
seems to have been abandoned.

OpenARC has better support for BSD Unix and Red Hat than Debian based systems
but is not as well developed, and although not robustly maintained for Debian
based systems, there are openarc packages based on the OpenARC development
branch for Debian 9 to 11,
https://download.opensuse.org/repositories/home%3A/andreasschulze/ .  [Mailman
2 which we are using for the mailing lists does not go past Debian 10 for lack
of Python 2.  Upgrading to Mailman 3 is non-trivial because of configuration
changes, etc. and should not be the most immediate priority.]  There is a very
brief blog post about using the Andreas Schulze Debian packages, "OpenARC with
Postfix on Debian 10 (buster)" / Matthieu -
https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.html
.  You can also build your own packages from source as I have.  [In current
testing of my source build, Postfix has a socket permissions error for OpenARC
which may be from a mistake I had made with umask settings long ago on the
system which runs my mailserver.]

I would be pleased to help when I am available.  My question about what MTA is
being used with Mailman for lists.koha-community.org and a recommended fix for
various configuration files are in my original message quoted further below.

-- 
You are receiving this mail because:
You are watching all bug changes.