When an email is sent via a mailing list, the original sender’s identity is hidden. This means that the DMARC policy for any domains involved in the mailing list can’t be used to identify the sending domain or determine whether it should be considered legitimate using SPF authentication. This issue can however be resolved.
What is a Mailing List?
If you’re not already familiar with the term “mailing list,” it’s a group of people who receive information from you via email. You can create a mailing list for any purpose, but most often they are used to send newsletters or updates about your business.
Example: MailChimp Email Builder
Mailing lists can be used for many purposes:
- They let you send out newsletters and promotions without having to worry about spam filters or getting people’s emails wrong (or worse, accidentally sending emails to the wrong person).
- They help you connect with potential customers who wouldn’t normally see your advertising.
- They can help you build trust with your followers by providing them with exclusive information that they won’t find anywhere else (like sneak peeks at new products or discounts on future purchases).
How does DMARC work?
DMARC uses a few different methods to identify the sending domain and check whether it should be considered legitimate:
- The Sender Policy Framework (SPF) record identifies which IP addresses are permitted to send emails with a particular domain name. An SPF record can include information about subdomains as well.
- The DomainKeys Identified Mail (DKIM) DNS record contains information about the cryptographic keys used by this domain for signing messages and verifying their signatures. Emails with valid DKIM signatures will be delivered; those without valid signatures will not be delivered or may have their headers modified so that they’re marked as spam by recipients’ email clients.
How can the usage of Mailing Lists affect your DMARC policies?
If your email marketing provider uses DMARC to protect your emails, you’re in good shape. But sometimes there are issues when emails are being sent via mailing lists or from third-party platforms.
Let’s visualize email flow using a mailing list:
Since the mail flow isn’t direct and passes through an intermediary listing server to reach the inboxes of your list members, the header and body information gets altered during the transfer.
This leads to:
- SPF fail due to an altered return-path address
- DKIM fail due to modifications to the message body
How to bypass the problem with Mailing Lists?
1. Configure your DMARC policy at none
If you want to make sure your emails don’t fail delivery due to a failed SPF or DKIM check when they are sent via a mailing list, you can configure your DMARC policy at none. This enables you to get your emails delivered to the inboxes of your list of members even if they fail authentication.
Word of caution: However, it is important to remember that a relaxed policy like p=none will not shield you from brand impersonation attacks like phishing and spoofing.
2. Specify IP addresses for all intermediary listing servers in your domain’s SPF record
Another way you can ensure that your emails don’t fail authentication in the first place is by specifying the IP addresses of all intermediary listing servers in your domain’s SPF record. This will help your receiver identify them as legitimate senders for your domain during an SPF lookup.
Note: Third-party domains and IPs can add to the number of DNS lookups per session and make you quickly exceed the RFC-specified limit for SPF. To make sure you stay under the limit at all times, configure an SPF Flattening tool for your domain.
3. Using Authenticated Received Chain (ARC)
ARC helps avoid authentication failures triggered by mailing lists by keeping a live track of an email’s original email headers and signatures throughout the message delivery process. This helps email receiving servers validate the senders properly, without any false negatives.
- How to Authenticate Emails? - March 28, 2023
- How Does DNS Work? - March 27, 2023
- What is Fileless Malware? - March 27, 2023
