Q: Why do I see "dmarc-request" addresses in messages distributed to my email lists?

By Jacob Haller
Senior Support Engineer, L-Soft

A DMARC policy is a type of policy that owners of domains can publish that dictates what should happen when mail is received from their domain, but through a mail server that doesn't belong to them.

If a message is sent to an email list, and the original "From" address is left as-is, then the message will generally fail DMARC. For instance, if a message is distributed with these headers:

From: chris@example.com
To: tech-forum@listserv.example.edu
Subject: This is a test message

Then the recipient mail servers would see the sender of the message as being from example.com, but the message itself as coming from the mail server used by LISTSERV. Assuming that the outgoing mail server isn't one of the ones authorized by the owners of the example.com domain, that would in result in a DMARC failure.

The domain's owner can specify what should happen if a message from their domain fails DMARC. A "p=none" policy means that the message should be handled the same as any other message and shouldn't be rejected due to the failure. However, if a "p=quarantine" or "p=reject" policy is in place, then recipient mail servers are supposed to treat the message as spam and reject it outright.

To prevent this from affecting email list traffic, LISTSERV rewrites the "From" addresses of messages from domains with "p=reject" or "p=quarantine" policies. Additional details can be found in Section 13.3 of the LISTSERV Advanced Topics Manual.

Note that this sort of rewriting only occurs with mail distributed to email lists. Mail sent to other LISTSERV-related addresses will not be rewritten in this way.

How can I tell whether a particular domain has a DMARC policy and what that policy is?

There are a number of online tools that will allow you to find the DMARC policies of different domains. One of the most common is mxtoolbox.

https://mxtoolbox.com/dmarc.aspx

What happens to email sent to "dmarc-request" addresses?

Under Windows, mail sent to these addresses will automatically be accepted and routed to LISTSERV. Under Unix, it is slightly more complicated and will require special configuration of the SMTP package that is installed on the LISTSERV server. If you are using postfix, then the setup described in Section 3.8.2 of the LISTSERV for Unix Installation Manual should have the desired effect.

Once the mail makes it to LISTSERV, LISTSERV will forward the message onward to the appropriate user's email address, using an internal record that it keeps of what "dmarc-request" addresses it has generated, and which original sender addresses they correspond to.

If the same person sends email to LISTSERV on several different occasions, will the same "dmarc-request" address be used?

If the same person posts messages to mailing lists from the same email address, and the address is rewritten, then it will be rewritten to the same "dmarc-request" address every time, regardless of how far apart the messages are sent, or whether they are sent to the same or different mailing lists.

Is there a way to prevent mail from a particular domain from being rewritten?

Yes, but be very careful with this option. Unless the outgoing mail server that LISTSERV uses is allowed to send email from the domain in question, this is very likely to result in DMARC failures, causing mail to bounce and potentially damaging your mail server's reputation and increasing the change that other mail will be flagged as spam.

With that said, if you own the domain in question, and you are certain that mail distributed by LISTSERV from that domain won't fail DMARC, then you can use the DMARC_NO_REWRITE setting documented in Section 13.5 of the LISTSERV Advanced Topics Manual to prevent mail from particular domains from being rewritten. This setting can be accessed via the LISTSERV web interface, under "Server Administration" > "Site Configuration". Use the "Configuration Variable" text box at the top to find and set DMARC_NO_REWRITE.

Should the LISTSERV domain have a DMARC record?

This isn't required for the rewriting functionality described above to work, but it is generally something that is recommended and may improve deliverability of your messages. Information on how to set this up can be found in the following tech tip:

How do I configure SPF, DKIM and DMARC for my LISTSERV site?

A message was distributed to one of my email lists from a domain with a "p=reject" or "p=quarantine" DMARC policy, but the address wasn't rewritten, resulting in a bunch of bounces.

The first thing I would check is whether LISTSERV recorded finding any type of DMARC record for the domain at the time the message was distributed. If it did, you should see something like:

31 May 2024 08:32:35 Processing mail from xxx@EXAMPLE.COM for LISTNAME
DMARC> v=DMARC1; p=none; pct=100; rua=mailto:feedback@example.com;

If a line starting with "DMARC>" appears, then it means that LISTSERV found a DMARC record for the domain, and you can verify whether it matches the current DMARC policy.

If the line isn't present, then LISTSERV didn't find a DMARC record for the sender's domain. Information on troubleshooting this sort of problem can be found in Section 13.4 of the LISTSERV Advanced Topics Manual.

Someone sent a message to a "dmarc-request" address and got a bounce back saying that there was an SPF problem.

Only mail sent to email lists can have its sender address rewritten. In particular, messages sent to "dmarc-request" addresses won't have their senders' addresses rewritten. Unfortunately, this can result in this sort of error, since when LISTSERV forwards the message to the original address, it will be seen as coming from the outgoing mail server of LISTSERV.

LISTSERV doesn't rewrite messages sent to "dmarc-request" addresses to avoid situations where bounces or other automatically generated mail gets sent back and forth between two different "dmarc-request" addresses, resulting in a destructive mail loop that floods administrators and users with unwanted mail and wastes system resources.

I am getting DMARC errors in my daily error monitoring report, but they seem to be for a message whose sender had a "p=none" policy.

This may be due to changes in the sender's DMARC policy, but if this happens repeatedly, and specific subscribers seem to keep appearing on the report, then I would start to suspect that the situation is along the lines of the one described in the following tech tip:

Why do my lists sometimes generate spoofing complaints and what should I do about them?