Currently, all mailing lists implementations break DMARC specs. At first glance it would appear that the Mailing List specs and the DMARC specs are incompatible with each other...
HOWEVER, There IS a way to be compliant with both specs.
The mailing list is just a transport agent of list messages right? Well it can also be the transport agent of how users' actual email addresses are handled, between their real email address and usernames that obfusicates their actual email address.
* User "Bob Smith" emails TESTLIST@DOMAIN.ORG
* Mailing List implementation on DOMAIN looks up "BOB.SMITH@YAHOO.COM" and determines his username to be "USER-ADF2S89T"
(more friendly usernames like "BOBSMITH-YAHOO" might also be possible if verified/allowed by the list owner, even "BOB.SMITH_AT_YAHOO.COM" could be his username if he has no intention of hiding his email address and is not scared of spam bots)
* Mailing List implementation on DOMAIN rewrites the message FROM and/or SENDER fields to "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" instead of his actual email address
* A mail transport agent is set up on MAILING-LIST-USERS.DOMAIN.ORG to forward any messages that are sent to USER-ADF2S89T to BOB.SMITH@YAHOO.COM so the author/sender are still contactable.
This is compliant with the Mailing List specs because "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" 'belongs' to John Smith (Just in the same way that JOHN.SMITH@YAHOO.COM 'belongs' to him too even though he doesn't own YAHOO.)
This will also have the following benefits:
- Actual email addresses are completely hidden from Spam Bots. This is huge. Mailing Lists are are huge source of email addresses that spam bots like to harvest.
(It may be possible to have a web interface or mailing list -request command to reveal the users' actual email address - using a CAPCHA if the requesting user is not trusted - so users can't hide behind their special address)
- List Managers might like the option for users to be able to update to their new their email address while keeping the same username(s).
(If users are representing their company, companies might like an option - maybe with the use of a TXT record on their domain - not to allow their users to do this so they can't keep 'representing' their company after they lose access to their company email address)
- This way DMARC can be freely implemented by everyone, including the mailing list server itself, so users can't spoof each other when posting to the mailing list, nor can they use their "USER-ADF2S89T@MAILING-LIST-USERS.DOMAIN.ORG" address to send mail 'FROM' this address.