Hello folks
I recently enabled report-only DMARC on my e-mail domain. After sending an e-mails to this ML recently, this resulted in multiple DMARC would-be rejection e-mails.
DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A nice tool to visualize this is https://www.learndmarc.com/. If either SPF or DKIM passes, the e-mail should be accepted.
In the case of mailing lists, the way I understand it, there are two options:
- Rewrite the "From:" header so that the e-mail appears to be coming from the ML itself. Put the original sender e-mail in the "Reply-To" header instead. If this is not being done, the sender IP (the mailing list) does not match the sender e-mail domain and SPF fails. Note that this *might* impact the ML reputation for some big mailservers. - Expect that mail servers with DMARC enabled also have DKIM enabled, and ensure that the e-mail body is not modified (i.e. turn off the automatically inserted footer). Put mailing list unsubscribe links in the headers instead. This way, even though the sender IP does not match, the signature should still be intact.
These approaches are described in the following blog post I found online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
I don't know if mailman allows turning off body modifications (i.e. RFC2369 and RFC2919), but it definitely allows "From"-munging: https://wiki.list.org/DEV/DMARC
This will probably be more and more of an issue in the future (DMARC adoption is increasing), so it might be worthwhile to fix.
Cheers, Danilo