Solving DMARC’s failures with mailing lists
It’s believed that DMARC can’t work well with a mailing list– a group of names and addresses of people who receive emails from you via emails. While DMARC may create some problems with the mailing list, fixing this issue isn’t challenging.
We will suggest some configurations and other things that you need to take care of to enable mailing lists to function properly and also be able to relay messages for your DMARC-compliant domains.
Why does DMARC encounter problems with mailing lists?
While DMARC is a reliable, practical, and widely acceptable email security protocol, it can encounter technical issues when emails pass through mail lists due to the forwarding and modifying nature of these lists.
Here’s a more detailed explanation of the factors affecting DMARC’s working when it comes to using the ‘mailing list’ feature.
Image sourced from fastercapital.com
Emails get modified
Mailing lists tend to themselves modify the email content by adding headers or footers with unsubscribe links, list details, advertisements, etc. Due to such modifications, the DKIM signature originally applied by you gets invalidated. Since DKIM is responsible for verifying that nobody tampered with emails in transit, the DKIM signature becomes invalid, or in easier words, the email fails the DKIM authentication checks, triggering DMARC to fail, too.
SPF alignment problems
Similarly, SPF alignment checks whether the email’s return path (envelope sender) aligns with the SPF record of the sender domain. When a mailing list forwards an email, it often uses its own bounce address, which may not align with the original sender’s SPF record. This misalignment can cause SPF checks to fail under DMARC.
DMARC reporting issues
The DMARC reporting process also takes a toll because it gets challenging to interpret for emails that don’t pass the DMARC checks due to modifications in the mailing list. This way, you can’t really judge if an email failing the DMARC check is actually spoofed or has just encountered a mailing list-related issue.
Resolving the mailing list issue the right way
Fixing the list behavior requires mindfulness when configuring DKIM and SPF while also making the best use of ARC.
1. Changing the ‘From’ address
It will be challenging for a mailing list to relay messages for a domain that has SPF and DMARC but not DKIM.
Some commercial mailing list applications (MLM) can automatically detect when a member’s domain has DMARC enforcement and change the ‘From’ address without requiring any action from you. For those that don’t, the common solution is to change the ‘From’ address when sending to the list members. This process is called ‘munging.’
The new ‘From’ address is usually owned by the mailing list provider, which is you. This allows the provider to send authenticated emails from their own domain if SPF/DKIM is configured
Let’s consider the following example-
Return-Path: <bounce@example.com>
From: "New Sender" <sender@example.com>
To: "Classroom List" <classroom@mailinglist.org>
This would ordinarily be a proper reflection to a subscriber:
Return-Path: <classroom-bounce@mailinglist.org>
From: "New Sender" <sender@example.com>
Sender: "Classroom List" <classroom@mailinglist.org>
To: "Eric Thompson" <eric@destination.com>
destination.com will reject the message if mailinglist.org is not in the SPF record for example.com. Also, having a good SPF record isn’t enough because the Return-Path and From fields are different domains.
To deal with this, mailing lists use workarounds like From-munging or Multipurpose Internet Mail Extensions (MIME) message wrapping to get the mail through.
From-munging looks like this:
Return-Path: <classroom-bounce@mailinglist.org>
From: "New Sender via Classroom" <classroom@mailinglist.org>
Reply-To: "New Sender" <sender@example.com>
To: "Eric Thompson" <eric@destination.com>
This way, the recipient only has to check DMARC for mailinglist.org, which will pass. However, this misrepresents the original sender, and email clients often don’t display the Reply-To header clearly, affecting sorting and address book functions.
If you have deployed DKIM for your domain, then it doesn’t perform From-munging or other hacks. It works by considering that there won’t be any modifications made to the message in transit.
DKIM signature will be validated as there won’t be any modifications. DKIM will also pass as there will be a proper alignment between the RFC5322.From and the signature’s domain.
2. Configure SPF
Another way to resolve this issue is by mentioning IP addresses for all intermediary servers in your SPF record. This way, the recipients’ mail servers will regard all the intermediary servers as officially authorized by you.
Caution Note: Please remember that adding so many intermediaries to your SPF record will lead to frequent DNS lookups, triggering your record to exceed the RFC specified DNS lookup limit of 10. So, if that’s the case with you, then opt for SPF flattening.
Learn more about SPF flattener here.
3. Use ARC
ARC, which is short for Authenticated Received Chain, enables mailing list providers to verify an email using DMARC. ARC itself signs the email when it gets forwarded to the final destination.
If the receiving gateway trusts the mailing list server, the email will be delivered even if it isn’t authenticated via DMARC, enabling the mailing list provider to send emails uninterruptedly to members where your ‘From’ address is preserved.
We hope these suggestions will fix your issues and you can use mailing lists without a doubt.