Dear mailing list admin,

Did you know there is a relationship between mailing lists and phishing? Responsible owners of domain names have started using DMARC to control who can send email from their domain name. DMARC is a standard that allows the owner of a domain name to publish information with which a recipient can verify the email that they receive from a domain name. By publishing DMARC records, the domain name owner takes steps to prevent phishing from their domain name.

DMARC is a great thing. However, your mailing list configuration creates a problem for its use.

DMARC includes two mechanisms that show whether an email is authentic. SPF lets a domain name owner indicate which servers are authorised to send email for the domain name. DKIM lets a domain name owner indicate which keys are used to sign authentic email from the domain name.

When your mailing list forwards email of a user whose domain name has DMARC records, this email will be flagged as non-authentic by any recipient who verifies DMARC records. This means the email may be rejected or processed as spam. At best, the email is still accepted, perpetuating the situation that unverified email is seen as authentic.

The reason that email is flagged as non-authentic is that both SPF and DKIM verification fail. SPF fails because your server is not listed in the SPF records of the domain name. This seems reasonable: we cannot expect every domain name owner to trust you to send email on their behalf. DKIM fails because you modify the messages you forward: you add a tag to the subject line and a footer to the message body. After these modifications, the signature that was initially added is no longer valid.

You have the power to remedy this situation. You can stop sending email from domain names that you do not own. Your mailing list software probably contains an option to do so, by listing the email address of the mailing list as the sender of the email. Most mailing list software also allows for header munging, which means that the name next to the From: address is rewritten. Instead of naming Jane Doe as the sender, it will now say something like “Acme Mailing List on behalf of Jane Doe”. Not only does this allow for DMARC verification, it is also closer to the truth.

While you’re working on your configuration, would you also consider setting up DMARC for your own domain names? The resources at DMARC.org should be of help to you1. Also, please verify DMARC records before forwarding email of other users. Otherwise, your mailing list could be abused to forward non-authentic emails. Recipients can no longer verify the original emails, because you are now the new sender.

Thank you for supporting everyone’s ability to prevent phishing and receive only authentic email.

Kind regards,

  1. https://dmarc.org/resources/