Mailing lists break DMARC because they modify the message body (adding footers, subject tags) which breaks DKIM, and they send from their own IP which breaks SPF alignment. The most common fix is From header rewriting, where the list changes the From address to its own domain. ARC also helps by preserving original authentication results for receivers that support it.
DMARC and Mailing Lists: The Alignment Problem
Why Mailing Lists Break Everything
Mailing lists are the worst-case scenario for email authentication. Here's what a typical list does:
- Receives your message with valid SPF and DKIM
- Modifies the subject — adds
[ListName]prefix - Adds a footer — unsubscribe link, list information
- Sends from the list server's IP — not your original server
Result: SPF fails (wrong IP), DKIM fails (body modified), DMARC fails (nothing aligns).
This isn't a theoretical problem. If your domain has p=reject, your messages to mailing lists may get rejected at the receiving end — and other list members won't see your posts.
The Solutions
From Header Rewriting
Most modern mailing list software now rewrites the From header when the original sender's domain has a DMARC policy of p=quarantine or p=reject.
Before rewriting:
From: [email protected]
After rewriting:
From: [email protected] via listname <[email protected]>
Reply-To: [email protected]
This fixes DMARC because the From domain is now listdomain.com, and the list server's own SPF/DKIM covers that domain. The original sender goes into Reply-To.
Practitioner note: From rewriting works but it's ugly. Recipients see the list domain instead of the sender's domain. It's a pragmatic compromise — not a clean solution. The email community has been debating this for over a decade.
ARC Headers
ARC (Authenticated Received Chain) is the protocol-level solution. The mailing list server:
- Records that the original message passed DMARC
- Adds ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal headers
- Forwards the modified message
The receiving server can check the ARC chain and decide to accept the message based on the original authentication.
The limitation: ARC works on a trust model. The receiver has to trust the mailing list server's ARC seal. Not all receivers evaluate ARC for all senders.
Sender Rewrites
Some lists use SRS (Sender Rewriting Scheme) to rewrite the Return-Path envelope sender. This helps SPF alignment but doesn't fix DKIM.
What You Should Do
As a domain owner with DMARC p=reject:
- Accept that some mailing list deliverability will be impacted
- Don't lower your DMARC policy — the protection is worth more than edge-case mailing list delivery
- Monitor your DMARC reports to understand the volume
As a mailing list operator:
- Enable From header rewriting for domains with DMARC policies
- Implement ARC header sealing
- Use modern list software (Mailman 3+, Google Groups)
Practitioner note: When clients ask me whether they should hold off on p=reject because of mailing lists, I tell them no. The mailing list problem affects a tiny percentage of their email volume. The domain protection from p=reject is worth far more than perfect mailing list delivery. Most lists have adapted with From rewriting anyway.
List Software Support
| Software | From Rewriting | ARC Support |
|---|---|---|
| Google Groups | Yes | Yes |
| Mailman 3 | Yes | Yes |
| Mailman 2 | Limited | No |
| LISTSERV | Yes | Limited |
| Sympa | Yes | Yes |
If you're running a mailing list and need help implementing ARC or From rewriting, or your organization is hitting mailing list issues after DMARC enforcement, I can help find the right approach.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- RFC 8617: The Authenticated Received Chain (ARC) Protocol
- RFC 7960: Interoperability Issues between DMARC and Indirect Email Flows
- dmarcian: DMARC and mailing lists
v1.0 · April 2026
Frequently Asked Questions
Why do mailing lists break DMARC?
Lists modify the body (footers, subject tags), breaking DKIM. They send from their own IP, breaking SPF. With both failing, DMARC fails.
What is From rewriting for mailing lists?
The list changes the From header to its own domain ([email protected]) and puts the original sender in Reply-To. This fixes DMARC alignment but changes the visible sender.
Does ARC fix the mailing list problem?
Partially. ARC lets the receiving server see that authentication originally passed. But not all receivers fully trust ARC chains, so it's not a complete solution yet.
Should I use p=none because of mailing lists?
No. The volume of mailing list failures is typically small. Don't sacrifice your domain's DMARC protection for a few edge cases.
Which mailing list software supports ARC?
Mailman 3, Google Groups, and Sympa support ARC. Older versions of Mailman and LISTSERV may not.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.