One of the most common technical concerns we hear about email authentication through Domain-based Message Authentication, Reporting, and Conformance (DMARC) is that it doesn’t work with mailing lists. The objection has some merit.
Email messages that get forwarded by a mailing list will fail Sender Policy Framework (SPF) authentication because, to the receiving mail server, the most immediate sender (the list) doesn’t match any of the domains listed in the originating domain’s SPF record.
Similarly, a DomainKeys Identified Mail (DKIM) signature attached to a message will fail if the mailing list modifies the body of the message or any of the signed headers (for instance, by rewriting the subject line of the message to add a prefix for the mailing list) because then the content of the message no longer matches the cryptographically signed hash of the original message.
Messages failing SPF and DKIM will also fail DMARC authentication.
The problem is not just hypothetical: Shortly after Yahoo rolled out DMARC enforcement in 2014, many mailing list operators found that every Yahoo address was bouncing. This happened because the messages were failing DMARC authentication.
Fortunately, there is now a way to address these issues: With a new standard called Authenticated Received Chain, or ARC for short.
What is email Authenticated Received Chain (ARC)?
Email Authenticated Received Chain (ARC) is a protocol for making email forwarding more reliable and secure. It builds on the SPF, DKIM, and DMARC protocols.
When you forward an email, the forwarding server adds a new Received header to the message to document that it’s been forwarded. However, SPF and DKIM sometimes don’t cover the Received header, leaving a gap in security.
ARC preserves and validates the email authentication across multiple headers and forwarding, creating a chain of security. The Internet Engineering Task Force (IETF) introduced ARC Protocol in Request for Comments (RFC) 8617 in July 2019. While it’s still developing, it helps to add another layer of security that inbox providers need in the new digital age.
How ARC fixes the problem of mailing lists
ARC conveys authentication results from hop to hop, allowing each server in a series of forwarders (such as a mailing list server) to authenticate an incoming message and then add its “endorsement” of that authentication to the forwarded message. The receiving server can choose to trust the message or not and make a delivery decision by examining the cumulative reputation of the senders who have signed the message at each hop in its journey to that point.
It’s also possible to examine each of the authentication steps along the way to reconstruct the authentication chain.
ARC allows mailing lists to modify the messages they forward (by adding a list-specific prefix to the subject line, for instance) without fear that this will cause the messages to fail authentication when they arrive.
Validate ARC implementation with Valimail
Valimail is contributing to the ARC standard and has also set up an ARC test suite that interested parties can use to validate their ARC implementations. We are also working with the makers of Mailman, one of the world’s largest software packages for managing mailing lists, to get it ARC-ready (meaning that a future release of the Mailman software will include the ability to add ARC signatures to messages).
If you want to work with the leaders in the new ARC authentication protocol, learn how we can protect your domains.