How does DMARC interact with mailing lists?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's the collision that catches most people off guard: mailing lists fundamentally break DMARC alignment. When a list forwards your message, it rewrites headers and modifies content (adding subject tags, footers, etc.). That breaks both SPF alignment (forwarded from the list's servers, not yours) and DKIM alignment (content changed, signature invalid).
So what happens? If you've set DMARC to p=reject or p=quarantine, the receiving mailbox might quarantine or reject the forwarded message entirely. Your subscribers never see it. It's one of the uglier edge cases in email authentication.
The modern fix is ARC (Authenticated Received Chain). ARC lets the list vouch for the original message's legitimacy before it got modified. Major providers like Google Groups now support ARC, which means your messages can pass authentication even after the list processes them. If you're running a sender who uses mailing lists, you've got options: either use p=none initially (less strict), coordinate with list admins to enable ARC, or split your sending to bypass lists entirely. Start by checking your DMARC reports to see how many failures are list-related. That tells you how urgent this actually is for your situation.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.