DMARC is a standard used to prevent senders from using a From address without being properly authorized to do so. What this means for mailing list senders like FreeLists is that we can't use your address in the
From: header – this is the default and generally how mailing lists work – for domains who have a DMARC policy that indicates mail should be rejected if it fails DMARC checks.
DMARC puts FreeLists in a difficult position: We're essentially required to sign/authenticate mail we're sending on your behalf with SPF and DKIM to ensure deliverability, yet for ease of use we want to maintain the original
From: header so subscribers know who sent the message. DMARC prevents the combination of these conditions.
DMARC itself offers some solutions:
Section 3 off their guidance offers the only viable set of options – we somehow have to replace the
From: address with something else – so that's what we'll discuss next. (Depending on your list's configuration one of “A,” “B,” or “C” apply.)
First, FreeLists detects domains that publish reject policy DMARC records. If your domain doesn't participate in DMARC or publishes a DMARC policy that isn't junk or reject, we take no action.
Second, if necessary, FreeLists modifies the
From: header of the post to your mailing list. We replace
email@example.com and move other bits of the
From: header to the comment section (if made available by the sender) to improve usability.
If your subscriber's domain uses DMARC and the
From: header was originally:
From: Jane Doe <firstname.lastname@example.org>
We'll replace that with:
From: "Jane Doe" <email@example.com> (Redacted sender "jdoe" for DMARC)
This allows other subscribers on the list to get the best available understanding of who the message came from while complying with DMARC. The exact format of this header is subject to change as we strive to improve usability.
Notice how we form the
From: header. To improve usability it's important for your subscribers to put their name (it doesn't have to be their real name!) into the
From: header in their email client.
We do our best to maintain the Reply-to: header. If your list uses the
reply-to-sender setting the original sender should be copied here so replies go back to the expected source.
We add a
X-original-sender: header that contains the original sender. While list subscribers can see this if they go looking at a message's full headers this is mostly intended for list admin troubleshooting.
Unfortunately the Yahoo/Verizon/AOL/Comcast email conglomerate uses DMARC, affecting a vast swath of FreeLists subscribers. Notably though Gmail does not.
The following domains don't use DMARC correctly or have incorrect DMARC-like email implementations that force us to employ the DMARC workaround anyway: micron.com, sbcglobal.net, rogers.com, sky.com, ymail.com, btinternet.com, handsonsa.org, mail.ru, and cisa.dhs.gov.
Don't change your
union-lists setting or if you do, be very careful. Our DMARC protection works due to a feature of FreeLists known as
union-lists where subscribers of another list are allowed to post on your list but don't receive its posts.
If the person posting to your list is from a DMARC domain and isn't a subscriber we'll change the address to
firstname.lastname@example.org in the message to list admins requesting approval to post.