How do mailing lists rewrite From: headers to pass DMARC?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If a mailing list rewrites the From header, it's almost certainly doing it because of DMARC.
And Here's the problem they're solving: when a message goes through a mailing list, the original sender's From domain stays visible, but the list's infrastructure is doing the actual sending. That means the list's sending IP isn't in the original sender's SPF record, and if the list modifies the message, DKIM fails too. Neither SPF nor DKIM aligns with the original From domain, so DMARC fails.
The brute-force fix is to replace the From header entirely. Instead of showing captain@deepcurrent.io, the list rewrites it to something like captain via deepcurrent.io <captain=deepcurrent.io@thelist.org> or simply no-reply@thelist.org. Now the list's own domain is in the From address. The list signs with its own DKIM key, and its own SPF authorizes its sending infrastructure. DMARC passes for the list's domain.
The tradeoff is real: replies now go to the list (or get dropped), not the original sender. Recipients lose the direct connection to who sent the message. Some list software handles this more gracefully by preserving the original sender in a Reply-To header, but the From display still changes.
Many well-known list managers including Mailman and GNU Mailman do this automatically when they detect that the sender's domain has a strict DMARC policy. It's the practical response to a real constraint. ARC is a more elegant long-term solution, but requires the list server and receiving mailbox providers to both support it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.