Mailing lists can sometimes cause problems for email authentication. This article covers how they work and what can be done to help legitimate mailing list emails be delivered. Mailing lists have always been a very tiny percentage of emails but has been a known gap for email authentication.
Mailing Lists are designed to allow group communication. When a member of the list sends an email to the list, that email is then sent to all members of the list.
Usually the sender's email address is used as the user visible From address when the email is sent to the other members of the list. For example, if the email is sent by email@example.com to the list, the other members of the list will get an email that has a From address of firstname.lastname@example.org.
This can cause problems with DMARC. DMARC is based on the user visible From address of the email which means that, when a member of the list gets the email above, their email gateway will see the email as From @example.com but where the sending server is the mailing list server. Since the mailing list server will not be listed in the SPF record for example.com, the email will not pass aligned SPF, even if the mailing list server preserves the EnvelopeFrom (which many do not). Since the email will have been modified when passing through the mailing list server, any DKIM signature will also be invalidated.
There are two main ways to allow a user who's domain is at DMARC enforcement to participate in mailing lists:
Changing the From address
Since the main reason that the mailing list emails fail authentication is that the mailing list server is not authorized to send on behalf of the members' domains, the most common way to address this is to change the From address of the email when it is sent to the members of the list. The new From address will typically be one owned by the mailing list provider. This then allows the mailing list provider to send authenticated emails as their own domain (assuming they configure SPF/DKIM properly). This function is sometimes called 'munging'
Some commercial mailing list applications will auto detect when a member's domain is at DMARC enforcement and change the from address without the mailing list provider needing to do anything. Many (including the most common open source mailing list, Mailman), require the mailing list administrator to enable this.
The downside of this approach is that the members of the list do not see the original sender in the From address. This is one of the reasons that ARC was created.
Authenticated Received Chain (ARC)
ARC allows the mailing list provider to verify an email, using DMARC, when it is received from a member and then ARC sign the email when forwarding it to the final destination. Assuming that the receiving gateway trusts the mailing list server, the receiver can deliver the email even though the email does not authenticate via DMARC from the end receiver's point of view. This allows the mailing list provider to continue to send emails to members where the From address of the sender is preserved