It appears that Michael Thomas via NANOG <nanog@lists.nanog.org> said:
There is no requirement that a mailing list honor or even care about DMARC. That's true of all of this: it's purely informational to the receiver to use as they will (or not). Expecting mailing lists to do anything in particular is a mistake.
So mailing list software today typically checks the originating domain's DMARC configuration. If that has a policy other than "none" (which says to deliver email even if it fails both SPF and DKIM), it will send the email "From:" the list, and not the originator. The email then nicely passes the mailing list's own SPF, of course. Additionally, the mail server sending it out from the list software will normally DKIM sign the outgoing email, so it ends up properly authenticating as coming from the mailing list software. It would be nice if this were more uniformly true, but alas I don't think you can really count on it. Even IETF mailing lists don't resign (somebody has claimed this is a bug, but it's been a bug for a very long time, from what I can tell).
Really, it was a bug. A bunch of stuff broke when we moved to the new mail server earlier this year, and it's fixed now. (I checked.) The DMARC rewrite stuff that I added broke at the same time, haven't checked whether it's back yet. R's, John