Wow, that was a great explanation. Thank you.

My next question is how I should best respond. If I understand correctly, replying sends the email to just the original sender, but replying all sends it to the whole discussion list. Is that right?

Andrew R Gross, (he/him)
412.657.5332    -   shrad.org


On Sat, Jan 29, 2022 at 11:21 PM Sean Greenslade <sean@seangreenslade.com> wrote:
On Sat, Jan 29, 2022 at 12:59:42PM -0800, Andrew R Gross wrote:
> Can you explain what DMARC is and why the reply setup is necessary for it?
> I tried to google it but didn't understand how it connects.

There's a very deep rabbit hole to go down when you start discussing all
the various interlinking components of modern email. I'll give the short
version, since this is probably veering pretty far off-topic for the
sudo-discuss@ list.

DMARC is a primarily a method of authenticating a given message to
ensure that it was actually sent by who it purports to be from. One of
the ways it does this is by allowing the owner of a domain name to
specify that emails from that domain must be signed in a specific way
(typically DKIM signatures). It can also require that mail from that
domain comes from an authorized server (via SPF rules).

This is all well and good until a mailing list gets involved. If the
list server were to take a message and just forward it as-is, the
message would no longer align with the SPF record since the list server
is operating under a different domain. The list server also can't
pretend to be the original sender's domain since that would cause the
SPF check to outright fail.

Additionally, mailing lists will usually modify the message, for example
by adding list headers, unsubscribe links, or adding the list address as
the reply-to. This will break some DKIM signatures, and most end users
have no way of affecting how their mail server signs outgoing mails.

Breaking either SPF or DKIM can cause DMARC to fail and thus make any
list recipient's mail server that is set to enforce DMARC restrictions
reject the mail. These rejections go back to the list server, which may
unsubscribe the unlucky recipient through no fault of their own (since
their mail server is correctly rejecting a DMARC failure as the original
sender requested).

Thus the solution is to decouple the mailing list message from the
original domain. This is done by editing the From: header to use the
list address. Thus, recipients of the list message will check the DMARC
restrictions of the list server, which should always pass for valid list
messages (mailing list domains typically use a DMARC policy of "none").

This message modification strategy has its own downsides, but that's a
discussion better suited for the mailop@ mailing list.

--Sean