One of the most common technical concerns we hear about email authentication through DMARC is that it doesn’t work with mailing lists.
The objection has some merit.
Email messages that get forwarded by a mailing list will fail SPF authentication, because, to the receiving mail server, the most immediate sender (the list) doesn’t match any of the domains listed in the originating domain’s SPF record.
Similarly, a DKIM signature attached to a message will fail if the mailing list modifies the body of the message or any of the signed headers (for instance, by rewriting the subject line of the message to add a prefix for the mailing list), because then the content of the message no longer matches the cryptographically signed hash of the original message.
And messages failing SPF and DKIM will also fail DMARC authentication.
The problem is not just hypothetical: Shortly after Yahoo rolled out DMARC enforcement in 2014, many mailing list operators found that every Yahoo address was bouncing. This happened because the messages were failing DMARC authentication.
Fortunately, there is now a way to address these issues: With a new standard called Authenticated Received Chain, or ARC for short.
How Authenticated Received Chain Fixes the Problem
ARC conveys authentication results from hop to hop, allowing each server in a series of forwarders (such as a mailing list server) to authenticate an incoming message and then add its “endorsement” of that authentication to the forwarded message. The receiving server can choose to trust the message or not, and make a delivery decision, by examining the cumulative reputation of the senders who have signed the message at each hop in its journey to that point.
It’s also possible to examine each of the authentication steps along the way to reconstruct the authentication chain.
ARC allows mailing lists to modify the messages they forward (by adding a list-specific prefix to the subject line, for instance) without fear that this will cause the messages to fail authentication when they arrive.
Validate ARC Implementation with Valimail
Valimail is contributing to the ARC standard and has also set up an ARC test suite that interested parties can use to validate their ARC implementations. We are also working with the makers of Mailman, one of the world’s largest software packages for managing mailing lists, to get it ARC-ready (meaning that a future release of the Mailman software will include the ability to add ARC signatures to messages).
If you want to learn more, visit http://arc-spec.org/.