User Tools

Site Tools


dmarc

FreeLists and DMARC

Background

DMARC is a standard used to prevent senders from using a From address without being properly authorized to do so. What this means for mailing list senders like FreeLists is that we can't use your address in the From: header – this is the default and generally how mailing lists work – for domains who have a DMARC policy that indicates mail should be rejected if it fails DMARC checks.

DMARC puts FreeLists in a difficult position: We're essentially required to sign/authenticate mail we're sending on your behalf with SPF and DKIM to ensure deliverability, yet for ease of use we want to maintain the original From: header so subscribers know who sent the message. DMARC prevents the combination of these conditions.

Official Remedies

DMARC itself offers some solutions:

I operate a mailing list and I want to interoperate with DMARC, what should I do?

Section 3 off their guidance offers the only viable set of options – we somehow have to replace the From: address with something else – so that's what we'll discuss next. (Depending on your list's configuration one of “A,” “B,” or “C” apply.)

How FreeLists Handles DMARC

First, FreeLists detects domains that publish reject policy DMARC records. If your domain doesn't participate in DMARC or publishes a DMARC policy that isn't junk or reject, we take no action.

Second, if necessary, FreeLists modifies the From: header of the post to your mailing list. We replace user@domain.com with dmarc-noreply@freelists.org and move other bits of the From: header to the comment section (if made available by the sender) to improve usability.

If your subscriber's domain uses DMARC and the From: header was originally:

From: Jane Doe <jdoe@baddomain.com>

We'll replace that with:

From: "Jane Doe" <dmarc-noreply@freelists.org> (Redacted sender "Jane Doe" for DMARC)

This allows other subscribers on the list to get the best available understanding of who the message came from while complying with DMARC. The exact format of this header is subject to change as we strive to improve usability.

Improving usability

Notice how we form the From: header. To improve usability it's important for your subscribers to put their name (it doesn't have to be their real name!) into the From: header in their email client.

We do our best to maintain the Reply-to: header. If your list uses the reply-to-sender setting the original sender should be copied here so replies go back to the expected source.

We add a X-original-sender: header that contains the original sender. While list subscribers can see this if they go looking at a message's full headers this is mostly intended for list admin troubleshooting.

Big domains and DMARC

Unfortunately the Yahoo/Verizon/AOL/Comcast email conglomerate uses DMARC, affecting a vast swath of FreeLists subscribers. Notably though Gmail does not.

The following domains don't use DMARC correctly or have incorrect DMARC-like email implementations that force us to employ the DMARC workaround anyway: micron.com, sbcglobal.net, rogers.com, sky.com, ymail.com, btinternet.com, handsonsa.org, mail.ru, and cisa.dhs.gov.

Implementation notes

Don't change your union-lists setting or if you do, be very careful. Our DMARC protection works due to a feature of FreeLists known as union-lists where subscribers of another list are allowed to post on your list but don't receive its posts.

If the person posting to your list is from a DMARC domain and isn't a subscriber we'll change the address to dmarc-noreply-outsider@freelists.org in the message to list admins requesting approval to post.

dmarc.txt · Last modified: 2023/10/26 20:49 by staff