A brief DMARC primer

laura
Industry
April 7, 2014

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

What does alignment mean?

Alignment means that the authenticating domain is related to the domain in the header-from address. There are two kinds of alignment: strict and relaxed. Strict alignment means that the domains are identical, relaxed alignment means that the domains are subdomains of one another.
It’s probably easiest to look at example headers.
In this example we can see a few different things. Visible headers shown in the mail client are in black, headers not normally shown in the client are shown in blue. Highlighted we have the header-from address and the d= value. Both these values are identical, meaning the message passes DMARC with strict alignment. If the header-from was @nfcu.org and d=response.nfcu.org that would pass DMARC with relaxed alignment.

Shouldn’t all mail align?

Not necessarily. In this other example, we see a header-from of @mncompanionrabbit.org but authentication coming from Constant Contact. Perfectly legitimate use of the email address in a newsletter, but there is no DMARC alignment as is. Could they create a DMARC alignment? Sure, by signing with a d=mncompanionrabbit.org or ~~by publishing a SPF text record containing Constant Contact’s IP addresses~~ (Corrected because I got this bit very wrong). But there’s not a lot of reason to do that as far as I can see.

Why bring this up now?

Yahoo has recently started publishing a DMARC record with p=reject. This means ISPs checking DMARC records (like yahoo, hotmail, and gmail) and following p= recommendations are now bouncing mail from @yahoo.com addresses that is not sent through Yahoo servers (SPF alignment) or signed with a Yahoo DKIM key (DKIM alignment). This means any mail from Yahoo users not using the Yahoo SMTP servers directly. This is affecting a couple different kinds of Yahoo users, making mail bounce.

Why would Yahoo do this?

There’s been an ongoing attack against Yahoo users attempting to compromise their accounts and then send email from that Yahoo user to their contacts. Yahoo has managed to block this spam coming out through Yahoo’s servers. The attackers have modified their attacks and are now sending mail from Yahoo users to their contacts through other servers. By publishing a p=reject record, Yahoo is telling other systems to not accept mail from Yahoo users if it doesn’t come through Yahoo controlled servers. This includes the mail from the attackers, but also mail from regular Yahoo users that use another SMTP server, including bulk mail sent through ESPs, and individual mail sent to mailing lists.

Will Yahoo change their DMARC record back?

It’s unclear. One of the other features of DMARC is that receivers can report back to senders when there is an authentication failure. Yahoo has these reports so they know exactly how much email is affected by this setting of p=reject. It could be this is a temporary measure until the attackers move on. But this may be a longer term setting because the attacks may be ongoing.

Can I just tell someone to whitelist my mail?

No. This is not an actual block. Mail is being rejected because Yahoo is saying that other companies should reject mail from @yahoo.com addresses that doesn’t come from Yahoo’s servers.

This breaks everything! Who can fix this?

The only people who can change this are Yahoo, no one else is responsible for this. The correct place to complain is support@yahoo. Gmail, Hotmail, anyone else following DMARC, nor the folks at dmarc.org can help you. You need to talk to Yahoo.

What can I do to send mail?

Right now the only way to send mail from @yahoo.com addresses to domains checking DMARC is to send mail using the Yahoo SMTP servers. You can do this by using the web interface, or by using the Yahoo SMTP server to send outbound mail. The only real fix for bulk mail through an ESP is to change your header-from address to something that isn’t Yahoo. I’d also suggest avoiding other free mail domains (like gmail and hotmail).

DMARC Interoperability

Facebook hosted a DMARC interoperability event earlier this week. In terms of protocol development, interoperability events are a sign that the protocol is ready for more widespread use.

ISPs speak at M3AAWG

Last week at M3AAWG representatives from AOL, Yahoo, Gmail and Outlook spoke about their anti-spam technologies and what the organizations were looking for in email.
This session was question and answers, with the moderator asking the majority of the questions. These answers are paraphrased from my notes or the MAAWG twitter stream from the session.
What are your biggest frustrations?
AOL: When senders complain they can’t get mail in and we go look at their stats and complaints are high. Users just don’t love that mail. If complaints are high look at what you may have done differently, content does have an effect on complaints.
Outlook: When we tightened down filters 8 years ago we had to do it. Half of the mail in our users inbox was spam and we were losing a steady number of customers. The filter changes disrupted a lot of senders and caused a lot of pain. But these days only 0.5% of mail in the inbox is spam. Things happen so fast, though, that the stress can frustrate the team.
Gmail: Good senders do email badly sometimes and their mail gets bulked. Senders have to get the basic email hygiene practices right. Love your users and they’ll love you back.
What’s your philosophy and approach towards mail?
AOL: There is a balance that needs to be struck between good and bad mail. The postmaster team reminds the blocking team that not all mail is bad or malicious. They are the sender advocates inside AOL. But the blocking team deals with so much bad mail, they sometimes forget that some mail is good.
Yahoo: User experience. The user always comes first. We strive to protect them from malicious mail and provide them with the emails they want to see. Everything else is secondary.
Gmail: The faster we stop spam the less spam that gets sent overall. We have highly adaptive filters that can react extremely quickly to spam. This frustrates the spammers and they will give up.
Outlook: The core customer is the mailbox user and they are a priority. We think we have most of the hardcore spam under control, and now we’re focused on personalizing the inbox for each user. Everyone online should hold partners accountable and they should expect to be held accountable in turn. This isn’t just a sender / ESP thing, ISPs block each other if there are spam problems.
What are some of your most outrageous requests?
We’ve been threatened with lawsuits because senders just don’t want to do the work to fix things. Some senders try to extort us. Other senders go to the advertising execs and get the execs to yell at the filtering team.
Coming to MAAWG and getting cornered to talk about a particular sender problem. Some senders have even offered money just to get mail to the spam folder.
Senders who escalate through the wrong channels. We spent all this money and time creating channels where you can contact us, and then senders don’t use them.
Confusing business interests with product interests. These are separate things and we can’t change the product to match your business interest.
What are your recommendations for changing behaviors?
Outlook: We provide lots of tools to let you see what your recipients are doing. USE THE TOOLS. Pay attention to your recipient interaction with mail. Re-opt-in recipients periodically. Think about that mail that is never opened. Monitor how people interact with your mail. When you have a problem, use our webpages and our forms. Standard delivery problems have a play book. We’re going to follow that playbook and if you try to get personal attention it’s going to slow things down. If there’s a process problem, we are reachable and can handle them personally. But use the postmaster page for most things.
Gmail: Get your hygiene right. If you get your hygiene right, deliverability just works. If you’re seeing blocking, that’s because users are marking your mail as spam. Pay attention to what the major receivers publish on their postmaster pages. Don’t just follow the letter of the law, follow the spirit as well. Our responsibility, as an ISP, is to detect spam and not spam. Good mailers make that harder on us because they do thinks that look like spammers. This doesn’t get spammer mail in more, it gets legitimate mail in less. Use a real opt-in system, don’t just rely on an implied opt-in because someone made a purchase or something.
Yahoo: ESPs are pretty good about screening their customers, so pay attention to what your ESPs are saying. Send mail people want. Verify that the email addresses given to you actually belong to people who want your mail. Have better sender practices.
What do you think about seed accounts?
The panel wasn’t very happy about the use of seed accounts. Seeds are not that useful any longer, as the ISPs move to more and more personalized delivery. Too much time and too many cycles are used debugging seed accounts. The dynamic delivery works all ways.
When things go wrong what should we do?
AOL: Open a ticket. We know we’ve been lax recently, but have worked out of our backlog and are caught up to date. Using the ticketing system also justifies us getting more headcount and makes everyone’s experience better. Also, don’t continue what you’re doing. Pausing sending while you’re troubleshooting the issue. We won’t adjust a rep for you, but we may be able to help you.
Gmail: Do not jump the gun and open a ticket on the first mail to the spam folder. Our filters are so dynamic, they update every few minutes in some cases. Be sure there is a problem. If you are sure you’re following the spirit and letter of the sender guidelines you can submit a ticket. We don’t respond to tickets, but we work every single one. When you’re opening a ticket provide complete information and full headers, and use the headers from your own email address not headers from a seed account. Give us a clear and concise description of the problem. Also, use the gmail product forum, it is monitored by employees and it’s our preferred way of getting information to the anti-abuse team. Common issues lots of senders are having will get addressed faster.
Outlook: Dig in and do your own troubleshooting, don’t rely on us to tell you what to fix. The support teams don’t have a lot of resources so use our public information. If you make our job harder, then it takes longer to get things done. But tell us what changes you’ve made. If you’ve fixed something, and tell us, our process is different than if you’re just asking for a delisting or asking for information. When you’ve fixed things we will respond faster.
How fast should users expect filters to respond after making changes?
Filters update continually so they should start seeing delivery changes almost immediately. What we find is people tell us they’ve made changes, but they haven’t made enough or made the right ones. If the filters don’t update, then you’ve not fixed the problem.

Problems with Yahoo FBL

There are a couple problems I’ve been alerted to with the Yahoo FBL today.
The first comes from Michael Ellis and is about broken FBL reporting at Yahoo.