DMARC and replies

DMARC is an issue for all mailing lists, and mailing list managers. Recently, and our friends at collaborated to enhance how we deal with DMARC.

 The problem with DMARC

DMARC is a way to ensure the origin of an email. Messages to you are checked to ensure that an email from, for example, is actually from Yahoo! If the check fails then the email is discarded. DMARC is a great way to prevent what is termed phishing attacks, which rely on being able to impersonate others. (Spam is unaffected, other than you can be assured of the identity of the spammer.)

Unfortunately, DMARC breaks mailing lists, such as GroupServer, Google Groups, and GNU Mailman. A mailing list typically

  • Receives an email,
  • Modifies it to create a new email, and
  • Sends the new email out as if the author wrote it that way.

The new message will fail the DMARC check, resulting in upset group members who cannot send any email. This was a minor problem until April 2014, when Yahoo! and Comcast became the first two major email-providers to implement strict DMARC, resulting in many more people who could not post to groups.

GroupServer and DMARC

Our response to the crisis in April 2014 was to take responsibility for the email that we send out. First we check the origin of the message, discarding any email that fails the checks. Then, as part of the processing we rewrite the From header in the email to create a new email address for the author of the message.

The new address was generated from the profile of the author. Everyone on a GroupServer site, such as or, has a unique profile, which holds all the information about a person, including profile photo, biography, and multiple email addresses.

Our solution has worked well to ensure that emails were sent out. However, there was a problem with replies.

The problem and solution

With most mailing lists a reply goes to everyone in the group by default. However, some groups prefer to have the replies go to the author only. (This is a option for a GroupServer group.) By rewriting the From header we prevented the replies getting through, because we used an email address that did not exist.

The solution that we recently implemented is simply to relay the email on to the intended recipient. Because the email address that GroupServer created is unique to each person we know exactly who to send the email to. This allows people to use groups as they like, without having to worry about DMARC.

Leave a Reply

You must be logged in to post a comment.