Why Mailing Lists Break DMARC and What to Do About It

Mailing lists modify messages in ways that break DKIM and SPF. Here's why it happens, how ARC helps, and practical workarounds.

Mailing lists are one of the oldest and most useful tools on the internet — and one of the biggest headaches for DMARC. If your domain is at enforcement (p=quarantine or p=reject) and your users post to mailing lists, you've probably heard that their messages get rejected or silently dropped. This article explains exactly why, and what you can do about it.

How mailing lists process mail

A mailing list works by receiving a message addressed to [email protected], then resending that message to every subscriber. That resend is the problem. Along the way, the list usually:

  • Prepends [ListName] to the subject line
  • Adds a footer with unsubscribe instructions
  • Rewrites the From: header or leaves it as the original author
  • Sends from the list server's IP rather than the author's

Each of those changes can break the authentication that DMARC depends on.

What breaks, and why

MechanismEffect of mailing listResult
SPFMail now comes from list server IPFails for author domain
DKIM (body modified)Footer added, body hash invalidSignature breaks
DKIM (headers modified)Subject prefixedSignature breaks if Subject was signed
DMARC alignmentFrom: still shows author domainNo aligned auth passes

The original author's DKIM signature is broken the moment the list adds a footer. SPF never had a chance because the envelope sender is different. With no passing authentication aligned to the From: domain, DMARC fails, and strict policies reject the message.

Why this got worse in 2014

Yahoo and AOL moved to p=reject in 2014, and overnight thousands of mailing list subscribers stopped receiving messages authored by Yahoo users. The Mailman project and others scrambled to implement workarounds. Those workarounds are still the main options today.

Workaround 1: Rewrite the From: header

The most common fix is for the list to rewrite the From: header so the sending domain becomes the list's domain. Instead of:

From: [email protected]

The rewritten header looks like:

From: Alice via ExampleList <[email protected]>
Reply-To: [email protected]

Now DMARC checks are performed against example.org, which the list controls and can authenticate. Replies still reach Alice through the Reply-To: header. The downside is it looks a little strange, and some mail clients display it confusingly.

Workaround 2: ARC (Authenticated Received Chain)

ARC is a newer protocol designed specifically to solve the forwarding and mailing list problem. When a list participates in ARC, it adds a cryptographic seal saying "this message arrived with valid DKIM; I modified it; here's proof of the original state."

Receivers that trust the ARC signer can then honour the original authentication result even though the message has been modified. Gmail, Microsoft and others now check ARC seals from trusted forwarders.

ARC isn't a silver bullet — the receiver still has to trust the forwarder — but it's the closest thing to a long-term fix.

Workaround 3: Run the list at a dedicated domain

If you operate the mailing list yourself, host it on a domain that has its own DMARC policy independent of user domains. All outbound list mail is authenticated as coming from the list domain. This avoids the alignment problem entirely.

What to check on your domain

Before you blame the list, verify your own DMARC record is sensible. Use the free DMARC record checker to confirm your policy and reporting destinations are correct. If you're in the process of moving to enforcement, watch the reports for mailing list traffic and decide how to handle it before flipping the switch.

Practical advice for SMB domains

If your organisation is mostly consumer-facing and doesn't post to technical mailing lists, p=reject is safe. If your engineers subscribe to open-source mailing lists with their work addresses, consider:

  1. Asking them to use a personal address for list traffic, or
  2. Configuring the list to rewrite From: headers, or
  3. Staying at p=quarantine so borderline cases land in spam rather than being rejected outright

A DMARC record that supports this might look like:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; fo=1

You can build and tweak records with dmarccreator.com, and monitor ongoing deliverability — including how mailing list traffic is being classified — with deliverabilitychecker.com.

The bigger picture

Mailing lists aren't going away, and DMARC isn't going away. ARC is slowly closing the gap, and list software is getting better at From: rewriting. In the meantime, awareness is half the battle. If a user reports that their mailing list posts are bouncing, you now know exactly why.

Keep tabs on forwarding-related failures

Monitor DMARC reports for mailing list and forwarding issues before users complain.

Start Monitoring