One of SPF's shortcomings is that is doesn't act upon the `From` header at all, which is the name/address the recipient most often is shown. Instead, it acts upon the `Return-Path` header, which a well configured mailing list will set to a domain it controls.
I can see that argument, but - it's kinda a philosophical question about "who the sender is". Is the the person who typed out the text? or is it the server which transcribed that text into N new emails?
The ML server will verify the original authors SPF. The N recipients will verify the ML servers SPF - the chain (which matches the series of MTA's involved) is still verified end to end.
> It'll break when used together with DMARC's alignment checks.
Yea, DMARC is a much bigger issue for mailing lists, but that's no reason to say "A mailing list will _always_ break SPF" - a well configured* ML has no issues with SPF at all.
* And, yes - the definition of "well configured" had to change when SPF was introduced, that's of course annoying, but there has been many many years for ML operators to make these changes.
> The ML server will verify the original authors SPF. The N recipients will verify the ML servers SPF - the chain (which matches the series of MTA's involved) is still verified end to end.
The recipients have no way to check that the mailing list server has checked SPF/DKIM/DMARC. Mailing lists very rarely drop messages because of a failing SPF/DKIM/DMARC check.
ARC tries to fix this, but requires recipients to trust the mailing list server. Just using plain DKIM is much better, recipients can just treat ML-forwarded emails just like direct emails.
