Alan Hodgson explains on a post to the NANOG mailinglist (cache), how DMARC with DKIM and SPF checks are supposed to work:
So, as far as I understand, a mail routed through a mailing list that keeps the original From: address will always fail DMARC+SPF (envelope sender and header From: are not aligned). But DMARC+DKIM should be fine as long as no headers or body parts that are covered by the DKIM signature are touched - and passing one of both mechanisms is enough.
Alan Hodgson wrote:
SPF checks the envelope sender only. [..]
DKIM doesn't by default check anything except that the headers and body that
were signed have not been altered since the signature was added. It definitely
has nothing to do with the envelope sender. [..]
DMARC adds sender policy to both mechanisms. For DMARC to pass, either SPF or
DKIM must pass and the identifier must be aligned with the header From:.
So for DMARC+SPF to pass not only must the message come from a source
authorized by the envelope sender domain, but that domain must be the same
domain (or parent domain or subdomain) of the header From: address.
For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM signing
domain must be the same domain (or parent domain or subdomain) of the header
From: address.
Again, DMARC requires only one or the other mechanism to pass. So messages
forwarded intact should be OK if they have an aligned DKIM signature.
Mailing lists run by mailing list software usually alter the envelope sender.
They can therefore create and pass their own SPF policy. However, if the From:
address is preserved, this will not be an aligned message and will not pass
DMARC+SPF.
DKIM doesn't by default check anything except that the headers and body that
were signed have not been altered since the signature was added. It definitely
has nothing to do with the envelope sender. [..]
DMARC adds sender policy to both mechanisms. For DMARC to pass, either SPF or
DKIM must pass and the identifier must be aligned with the header From:.
So for DMARC+SPF to pass not only must the message come from a source
authorized by the envelope sender domain, but that domain must be the same
domain (or parent domain or subdomain) of the header From: address.
For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM signing
domain must be the same domain (or parent domain or subdomain) of the header
From: address.
Again, DMARC requires only one or the other mechanism to pass. So messages
forwarded intact should be OK if they have an aligned DKIM signature.
Mailing lists run by mailing list software usually alter the envelope sender.
They can therefore create and pass their own SPF policy. However, if the From:
address is preserved, this will not be an aligned message and will not pass
DMARC+SPF.
So, as far as I understand, a mail routed through a mailing list that keeps the original From: address will always fail DMARC+SPF (envelope sender and header From: are not aligned). But DMARC+DKIM should be fine as long as no headers or body parts that are covered by the DKIM signature are touched - and passing one of both mechanisms is enough.
;){kind=link}