Solving the problem of DMARC’s incompatibility with mailing lists – Part 1


One of the problems that the email filtering community still hasn’t solved with regards to DMARC is how to deal with the problem of mailing lists.

You know, mailing lists. Those are those things that you subscribe to about a certain topic that contains a bunch of other people. When you email the list, your message is relayed to all the other participants on the list. When they reply, they reply to you and to all of the other list participants which makes it a public discussion. Or, they can choose to email you directly, off-list, making it a private discussion.

Suppose I have a hobby such as magic and I live in the state of Washington. I might decide to join the Washington Magician’s discussion group, WashingtonMagicians@mailingList.org. MailingList.org runs a lot of discussion lists and WashingtonMagicians is just one of them.

The setup for MailingList.org isn’t that complicated; they keep track of all their recipients and only relay messages from people on the list. If you’re not on the list, you can’t get your email through. The mailing list will bounce it back to you.

Suppose I sign up to the mailing list and go through the vetting process and eventually get added. Let’s also suppose that I send the list an email:


SMTP MAIL FROM: tzink@myPersonalDomain.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=s2048; 
  d=myPersonalDomain.com
  h=From:To:Subject:MIME-Version;
  bh=<body hash #1>
  b=<signature #1>
From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: Hi, I’m new here. Any good places to perform?

Hey, I’m new to the area and I like to perform for free. Are there any good places to go, like Pike Place Market, that don’t require a permit from the city?


I’ve set up SPF for my domain, you can see it’s signing with a DKIM signature, and I’ve even set up a DMARC record of p=reject because I don’t want anyone spoofing my domain.

myPersonalDomain.com IN TXT "v=spf1 ip4:xx.xx.xx.xx –all"

s2048._domainkey.myPersonalDomain.com IN TXT "v=DKIM1; k=rsa; p=<public DKIM key>"

_dmarc.myPersonalDomain.com IN TXT "v=DMARC1; p=reject; pct=100"

It doesn’t get any more secure than this. Heck, I’ve even set up TLS for my domain.

When the message is received at mailingList.org, it scans the message and verifies it. If it stamps the Authentication-Results header (which most mailing lists do not but instead keep in memory), it would stamp it thus way:


SMTP MAIL FROM: tzink@myPersonalDomain.com
Authentication-Results: spf=pass (sender IP is xx.xx.xx.xx) 
  smtp.mailfrom=myPersonalDomain.com;
  dkim=pass (signature was verified) 
    header.d=myPersonalDomain.com;
  dmarc=pass action=none header.from=myPersonalDomain.com

DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; 
  s=s2048; d=myPersonalDomain.com
  h=From:To:Subject:MIME-Version;
  bh=<body hash #1>
  b=<signature #1>
From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: Hi, I’m new here. Any good places to perform?

Hey, I’m new to the area and I like to perform for free. Are there any good places to go, like Pike Place Market, that don’t require a permit from the city?


Me, being the good email netizen that I am, has properly authenticated my domain with SPF and DKIM and set up DMARC to prevent any of it from being spoofed. MailingList.org knows this and my mail is not marked as spam.

Yet MailingList.org needs to make some modifications to my message. For one thing, it adds a footer to the bottom of the message to indicate a privacy policy. It also adds a few headers to the message to indicate that the message is from a mailing list. Finally, it modifies the subject to make it visible that it’s from a mailing list. It also resigns it with a new DKIM signature.

Our new message looks like the following:



SMTP MAIL FROM:

washingtonmagicians@mailinglist.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=s2048; d=myPersonalDomain.com
  h=From:To:Subject:MIME-Version;
  bh=<body hash #1>
  b=<signature #1>
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=mailer; d=mailinglist.org
  h=From:To:Subject:MIME-Version:List-Subscribe:List-Post:List-ID;
  bh=<body hash #2>
  b=<signature #2>

From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: [Washington-Magicians] Hi, I’m new here. Any good places to perform?
List-Subscribe:
http://washingtonmagicians.mailinglist.org
List-Post: mailto:washingtonmagicians@mailinglist.org
List-ID: Washington Magicians

Hey, I’m new to the area and I like to perform for free. Are there any good places to go, like Pike Place Market, that don’t require a permit from the city?
_______________________________________________
Washington Magicians Mailing List
washingtonmagicians@mailinglist.org
http://washingtonmagicians.mailinglist.org


The message is then replayed to all of the mailing list participants.

But here’s where a bad thing happens – the message cannot pass DMARC. Why? Well, at the recipient:

  1. The message passes SPF because the SMTP MAIL FROM domain is mailinglist.com and the IP it sends from is in its SPF record. This checks out.

  2. The message’s first DKIM signature fails – the one originally attached by myPersonalDomain.com – because the subject line of the message has been changed by the mailing list, and so has the body to append a footer.

    However, the second DKIM signature – the one attached by the mailing list – passes with d=mailinglist.org. So far, so good. MailingList broke the original DKIM signature but affixed one of its own.

  3. The From: address domain is myPersonalDomain.com. Even though SPF passes for mailinglist.com, and DKIM passes for mailinglist.com, neither of those two domains align with the organizational domain of myPersonalDomain.com. Because myPersonalDomain.com publishes a DMARC record, the message therefore fails DMARC.

    Because I’ve published a p=reject in my DMARC record, the message is rejected by all receivers who enforce DMARC.

    Authentication-Results: spf=pass (sender IP is yy.yy.yy.yy) 
      smtp.mailfrom=mailingList.org;
      dkim=pass (signature was verified) 
        header.d=mailingList.org;
      dmarc=fail action=reject header.from=myPersonalDomain.com

    That is, if there’s anyone from Gmail, Hotmail, Yahoo, and so forth, on the mailing list, they won’t see replies from anyone who sends email to the list from a domain protected by a DMARC reject record.

It gets worse; not only can I – someone who is locking down my domain – not send email to these discussion lists because third parties will reject it, the mail is bounced in SMTP. The bounces do not go to me, but instead go to MailingList. MailingList says “Hey, I’m relaying messages for this person but they keep bouncing and can’t get delivered. I’m going to automatically unsubscribe this sender.” So, not only can I not send email to this list, I can’t receive it, either.

This means that you can’t simultaneously lock down your email domain with DMARC and participate in email discussion lists. Even though discussion lists aren’t a large source of traffic, they are an important source. They facilitate better communication with a wide range of people.

Indeed, why shouldn’t domains that publish p=reject in their DMARC records be able to participate in mailing lists? That should be the goal, to get all domains to be protected with DMARC. Seems like a pretty big problem to solve.

Aren’t there any solutions? How can this be fixed?


Related articles in this series:

Comments (1)

  1. As you’re probably aware by this time, the folks who maintain the GNU Mailman list management software suite have addressed the DMARC problem, as best they can. Header From addresses to hosts publishing a DMARC record get munged by the list server so as to indicate that mail came _from_ the list server on behalf of the poster. This satisfies servers which enforce DMARC filtering for recipients, although it can make replying personally more difficult. All in all, DMARC is pretty broken since it shuts down legitimate email redirection in many cases. Email redirection is much like call forwarding for your phone or a forwarding address at the post office. There are a large number of misbegotten schemes out there to fight spam, some of which violate the fundamental email RFCs, and some just make email unreliable. When sending spam becomes an internationally recognized crime, with severe punishments, and enforcement starts actually taking down spammers, then we’ll see the cost of doing business as a spammer not worth the results, then, and only then will we see the problem start to diminish.

Skip to main content