View Issue Details

IDProjectCategoryView StatusLast Update
0018087phpList 3 applicationDocumentationpublic13-02-19 12:26
Reporterlwc Assigned To 
Status newResolutionopen 
Product Version3.2.4 
Summary0018087: Document DMARC exception
DescriptionWhen you specify a "from" address, you can no longer use addresses that involve servers like Gmail/Google Apps. The reason is that such servers enforce a "reject" DMARC rule, and so reject phplist's attempts to fake the "from" address.

Since phplist is obsolete without it, please document what should be the DMARC rules to make an exception for phplist.
Additional InformationPlease mention specifically what should be the settings regarding the commercial



17-04-16 11:55

updater   ~0057609

Upon further investigation, I'm starting to think is simply not DMARC compliant! This poses a huge problem and means it's much more than a documentation issue. & both offer 3 methods for third party vendors, in this case, to become DMARC compliants.


17-04-16 13:31

administrator   ~0057611

DMARC checks that the sender is sending from a location that is allowed. It uses SPF and DKIM for that.

phpList (hosted) is SPF and DKIM compatible. However, it will depend on the domain in the From if this passes for DMARC.

I've been working on a DMARC checker plugin, but that's quite complicated. In general the rule is: make sure the From in your campaigns validate. To allow to send with your From domain, you need to add "include" to your SPF records. Then it should also pass for DMARC.


17-04-16 13:34

administrator   ~0057612

it also means you cannot use certain domains in the From field of your campaigns, eg domains. That is the reason we stopped accepting email addresses for registration for phpList Hosted.


18-04-16 13:55

updater   ~0057622

We use our own domain name in the "from". in our SPF records didn't help.
Neither did
Neither did a complete copy of's own spf record (list of ip4:).


18-04-16 18:47

administrator   ~0057627

Just should be enough

Can you send an email to and paste the results?


19-04-16 14:03

updater   ~0057645

I sent to your address through phpList hosted, but I have nothing to paste since it's a test message which isn't considered as bounce.

Please read the 2 links in the OP. They'll show it takes more than a simple spf include.


19-04-16 19:56

administrator   ~0057653

that address bounces anyway. Try to find it in your list of bounces. It will probably be marked as "unprocessed".

I have read those pages. That is about the other side of DMARC: when you want other servers to report to you how your domain is doing on their systems. We have that in place with phpList as well.

The delivery side of DMARC is different. It is about telling the world about your domain. And the easiest option (for now) is to use a domain that is not yet set for DMARC.


19-04-16 19:58

administrator   ~0057654

which opens the question, did you configure DMARC for your domain? If so, remove it.


24-04-16 07:11

updater   ~0057667

Found your bounce: (password: phplist)

As for the domain, this is our company's domain. We must have the "from" address as sent from our (DMARC protected) company's domain.

More links that might help: &


26-04-16 22:03

administrator   ~0057676

Thanks, I have the file, you can delete it if you want.

I'll try to find some time to work on it. But the summary:

SPF check: pass
DKIM check: pass

would indicate that DMARC should pass, because DMARC requires one of the two to pass (IIRC)