A brief DMARC primer

A

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

What does alignment mean?

Alignment means that the authenticating domain is related to the domain in the header-from address. There are two kinds of alignment: strict and relaxed. Strict alignment means that the domains are identical, relaxed alignment  means that the domains are subdomains of one another.
It’s probably easiest to look at example  headers.
In this example we can see a few different things. Visible headers shown in the mail DKIM-alignedclient are in black, headers not normally shown in the client are shown in blue. Highlighted we have the header-from address and the d= value. Both these values are identical, meaning the message passes DMARC with strict alignment. If the header-from was @nfcu.org and d=response.nfcu.org that would pass DMARC with relaxed alignment.

Shouldn’t all mail align?

Not necessarily. In this other example, we see a header-from of @mncompanionrabbit.org but authentication coming from Constant Contact. DKIM-not-aligned Perfectly legitimate use of the email address in a newsletter, but there is no DMARC alignment as is. Could they create a DMARC alignment? Sure, by signing with a d=mncompanionrabbit.org or by publishing a SPF text record containing Constant Contact’s IP addresses (Corrected because I got this bit very wrong). But there’s not a lot of reason to do that as far as I can see.

Why bring this up now?

Yahoo has recently started publishing a DMARC record with p=reject. This means ISPs checking DMARC records (like yahoo, hotmail, and gmail) and following p= recommendations are now bouncing mail from @yahoo.com addresses that is not sent through Yahoo servers (SPF alignment) or signed with a Yahoo DKIM key (DKIM alignment). This means any mail from Yahoo users not using the Yahoo SMTP servers directly. This is affecting a couple different kinds of Yahoo users, making mail bounce.

Why would Yahoo do this?

There’s been an ongoing attack against Yahoo users attempting to compromise their accounts and then send email from that Yahoo user to their contacts. Yahoo has managed to block this spam coming out through Yahoo’s servers. The attackers have modified their attacks and are now sending mail from Yahoo users to their contacts through other servers. By publishing a p=reject record, Yahoo is telling other systems to not accept mail from Yahoo users if it doesn’t come through Yahoo controlled servers. This includes the mail from the attackers, but also mail from regular Yahoo users that use another SMTP server, including bulk mail sent through ESPs, and individual mail sent to mailing lists.

Will Yahoo change their DMARC record back?

It’s unclear. One of the other features of DMARC is that receivers can report back to senders when there is an authentication failure. Yahoo has these reports so they know exactly how much email is affected by this setting of p=reject. It could be this is a temporary measure until the attackers move on. But this may be a longer term setting because the attacks may be ongoing.

Can I just tell someone to whitelist my mail?

No. This is not an actual block. Mail is being rejected because Yahoo is saying that other companies should reject mail from @yahoo.com addresses that doesn’t come from Yahoo’s servers.

This breaks everything! Who can fix this?

The only people who can change this are Yahoo, no one else is responsible for this. The correct place to complain is support@yahoo. Gmail, Hotmail, anyone else following DMARC, nor the folks at dmarc.org can help you. You need to talk to Yahoo.

What can I do to send mail?

Right now the only way to send mail from @yahoo.com addresses to domains checking DMARC is to send mail using the Yahoo SMTP servers. You can do this by using the web interface, or by using the Yahoo SMTP server to send outbound mail. The only real fix for bulk mail through an ESP is to change your header-from address to something that isn’t Yahoo. I’d also suggest avoiding other free mail domains (like gmail and hotmail).

About the author

56 comments

Leave a Reply to Christine Yelich Roberts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Are you saying that it’s Yahoo’s fault, if something breaks now? If somebody uses a domain that does not belongs to them, why would the domain owner be responsible if something breaks?

  • What I’m saying is that many people use Yahoo email addresses legitimately, without using the Yahoo outbound mail servers. Yahoo publishing a p=reject breaks those uses.
    If, for instance, Yahoo had previously published a TOS that says ‘the only mail you can send with @yahoo.com has to be sent through our interface’ that would be one thing. This change just enforces that bit of the TOS. But that’s not what yahoo has done. Instead, they started publishing a policy that is going to break a lot of things for their users. Yes, ESP mail is one of them, but mailing list mail is another.
    For Yahoo (and other mailbox providers) there’s never before been the idea that you HAVE to use that email address only to send mail through that mailbox provider. This is really a change in how Yahoo expects their users to use email and I’m not sure it’s a good choice.

  • Spammers ruin everything. These days, we have to assume that mail claiming to come from Yahoo that’s not originating from a Yahoo server is forged spam.

  • I’m totally confused. Does this mean that the email I thought I was sending from Mad Mimi is actually going through my Yahoo?

  • Laura,
    Just an fyi…We just checked and it seems to me that problem is only with yahoo.com address but not with ymail, rocketmail etc.

  • Yup, it is only yahoo.com that has the p=reject message. Other yahoo domains (including some of the regional ones) still have p=none.

  • My thought was to modify my ‘from’ header to look like this:
    From: “Joe Blow (joeblow@yahoo.com)”
    So the real ‘from’ is my domain, but the name for display in the mail client ui shows the name and email for the message author. Do you suppose this would work?

  • I am so befuddled. I use the (Telstra) Bigpond service for my email. I use Outlook set with in as pop.mail.yahoo.com and out as mail.bigpond.com. I am unable to send anything successfully now with everything coming back with the error talked about. I use a Yahoo email address. Does this mean that I would have to use Tahoo as out server for it to work? I (stupid) don’t understand how that would function if my mail service is Bigpond? Sorry but apart from my ever growing dismay at Yahoo I don’t really understand this and in the end does it mean I cannot use Yahoo with Bigpond ?
    Desperate Dan of Australia
    PS : I have “tried” to communicate with Yahoo – ho hum

  • Thanks for providing insight. While DMARC is very simple, we continue to see alignment issues. Second it is perplexing to see how few of the top 1,000 consumer brands are not authenticating at the TLD vs delegate sub domains. This does little to protect consumers. Join OTA and instructors from Agari and ReturnPath on April 29 in Wash DC for a full-day training. More info at https://www.eventbrite.com/e/email-security-integrity-authentication-dmarc-training-registration-10943543433

  • If you set your out mail server as smtp.mail.yahoo.com with your Yahoo credentials that should fix the problem. If you’re using a Yahoo.com email address, then you must use Yahoo’s outbound server in order for DMARC to align and for the receiving servers not to reject the mail.
    The other alternative is to stop using Yahoo as your email address.

  • Laura,
    Laura,
    In checking for latest updates I see an April 8th update from Yahoo at:
    https://help.yahoo.com/kb/mail/SLN7253.html?impressions=true
    mentioning:
    DMARC
    The latest authentication test that Yahoo has incorporated, DMARC, performs the following checks:
    “From” address should map to the same signing domain
    Mail from a domain should match the domain in the “From” header
    Here’s an example of a DMARC record:
    v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc.report@yourdomain.com
    In this example, Yahoo will quarantine emails that fail DKIM and SPF for yourdomain.com, and similar emails for sub-domains from yourdomain.com will be rejected. The aggregate report will be mailed to dmarc.report@yourdomain.
    There current post shows a ‘P=quarantine’ and not the previous ‘p=reject’
    Is this a change/update from their previous stance with this past weekend ‘reject’ update ?
    Best Regards,
    Bill Watkins-
    Application Analyst
    ScholarOne – Thomson Reuters
    Charlottesville, Virginia

  • I just checked here and they are currently publishing a p=reject. I’m guessing their website is outdated.
    Wait. I just re-read your comment. That website is just explaining what a DMARC record is. That’s not actually Yahoo’s record. Yahoo’s record looks like this:
    $ dig _dmarc.yahoo.com TXT
    ;; ANSWER SECTION:
    _dmarc.yahoo.com. 1268 IN TXT “v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com\;”
    ;; Query time: 5 msec
    ;; SERVER: 192.168.80.1#53(192.168.80.1)
    ;; WHEN: Thu Apr 10 14:20:00 2014
    ;; MSG SIZE rcvd: 360

  • Thanks Laura,
    I just checked also and still saw the p=reject. Wishing it wasn’t true however.
    Best Regards,
    Bill Watkins –

  • […] Why is this happening? In an attempt to stop fraudulent emails, Yahoo changed its DMARC authentication policy to reject emails that claim to come from yahoo.com but actually originate at non-Yahoo servers. For more information on the DMARC authentication protocol, check out this DMARC primer from Laura Atkins at Word to the Wise. […]

  • This enormous pain, and the severe lack of communication, has caused me to drop Yahoo after 15 yrs. Way to go Yahoo.

  • Well this just stinks and I knew this day would come! Wish I had already switched over to my own email address.

  • This policy is a huge LOSER!!!
    I run a few mailing lists and it breaks everything. Not only does it block any posting from Yahoo users to anyone else….but then it creates hundreds of bounce messages back to the server. These same Yahoo users don’t see their postings….and not knowing why….they post again, which gets blocked….and generates still more bounces.
    After so many bounces the mailing list software thinks these subscribers are stale, so it starts to unsubscribe not just the Yahoo users, but also most of the other users who have accounts on DMARC compliant servers.
    This is one of the most amazing self-inflicted Denial-Of-Service attacks one can witness.

  • I just ran up against this as a Comcast customer who operates some email lists, and while I believe it is fine for free email providers to apply whatever rules they wish on their servers, I *pay* Comcast for email service and I have had some complaints from correspondents that their emails have been rejected with DMARC error codes.
    Comcast doesn’t even publish a DMARC record (https://dmarcian.com/dmarc-inspector/comcast.net) and specifies 12 authorized netblocks for SPF when the maximum allowed is 10 (https://dmarcian.com/spf-survey/comcast.net). How is this even close to best practices?
    If I want to receive all my messages, I feel that it’s not Comcast business to decide what I can receive. What’s next, blocking phone calls?

  • I have a yahoo mailbox and it’s caused me to pull my flaming hair out on many occasions Yes, there is a Yahoo support (fyi it is outsourced). A couple months ago, they dumped and blocked all my outgoing mail I contacted them (short version) and they wanted me to pay $199.00 to fix their problem. Further, they shortly thereafter began daily filling my “spam” with an amazing 100-200 emails. And, believe me, those emails were sure tommy-rot!
    Thank you for Word to the Wise and you can be sure I am more than willing to share this information I’ve read here.

  • Very good post.
    Won’t this cause spammers to switch their forged From addresses to gmail, hotmail, etc. – and therefore cause the other leading email providers to also invoke DMARC?

  • When I logged on to Yahoo mail that should be considered sending email from Yahoo server, isn’t it? So why email to some Gmail addresses are delivered but others are rejected with DMARC message (also Gmail adresses)? How do I solve this problem?

  • You should contact Yahoo support to troubleshoot the problem. There’s nothing any of us can actually do to help you.

  • This has very suddenly become a real problem with mailing lists. I’m not directly affected (as a sender) because I have my own domain and leave it as unrestricted as possible (because like Tim, above, I want the decisions to be mine, not of some robot with no brain).
    Nevertheless, I suspect I’m not receiving some mail from mailing lists because of this issue. In fact, it was brought to my attention by the administrator of one such list. It would be nice if someone would publish — in plain English — what mailing list administrators need to do. Speaking as a user, I want to see who originated a message, not that it’s coming from a certain list server (which I can usually see already in the subject line). I happen to have a technical background, but reading the dmarc.org site has my head spinning!

  • I currently forward all my email that is received by another mail server. I use a feature they provide called forwarding email. There is no selecting which email can or cannot be forwards. So when I receive eamail from AOL and try to forward it fails and appears on their end that the email is not delivered. The email has the orginating email address from AOL in the forwarding sending address. How am I to correct this problem.

  • Laura, thanks for the great write-up on DMARC. We just ran into this issue with a new feature we rolled out to our members. Your article helped us quickly get to the root cause.

  • Hi, I use Optus as an ISP. They will not allow you to use a Yahoo SMTP. You must configure the pop to be yahoo and the smtp to be Optus, other the ISP stops the email from being sent. Does this mean that if I continue to do this yahoo will stop my mail?So my ISP stops it without the ISP smtp and yahoo stops with out their smtp, if affect this means I can no longer use yahoo accounts.

  • […] DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” and is a policy that is being implemented globally on the good ol’ world wide web to reduce spam and phishing schemes.  In order to reduce spam and email abuse, soon all the major ISPs (internet service providers) will stop delivering emails from aol.com, yahoo.com, gmail.com and other free domain email addresses unless they are sent directly from an AOL, Yahoo, or Gmail account. […]

  • Laura,
    I would like to run something past, but do not think a solution is within our grasp. We have set DAMRC records for ‘scholarone.com’ & manuscriptcentral.com to P=Reject. We see Forwards on recipient server accounts to GMAIL. eg:
    : host gmail-smtp-in.l.google.com[64.233.186.27] said: 550-5.7.1 Unauthenticated email from manuscriptcentral.com is not accepted due 550-5.7.1 to domain’s DMARC policy. Please contact administrator of manuscriptc 550-5.7.1 entral.com domain if this was a legitimate mail. Please visit 550-5.7.1
    https://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. 69si5309482qhp.41 – gsmtp (in reply to end of DATA
    command)
    Final-Recipient: rfc822; ro.moreira.rocha@gmail.com
    Original-Recipient: rfc822;rmrocha@ufpr.br
    Action: failed Status: 5.7.1
    The originating email to rfc822;rmrocha@ufpr.br was successfully delivered to the recipient at ufpr.br and the recipients email account on ufpr.br contains a forward to his GMail account which is out of our control. Gmail is ‘seeing’ the originating server as ‘manuscriptcentral.com’ but also sees in the Forward the original recipient as rfc822;rmrocha@ufpr.br thus the mismatch.
    We know the Forward from the University account is out of our hands but can anything in our scholarone.com/manuscriptcentral.com DMARC records be tweaked to take these forwards into account or can anything be tweaked in our header structures to address these forwards ?
    Thanks,
    Bill Watkins –

  • Im not sure what to do. Not sure it is wise to change my biz email right now. I’ve had that yahoo adress for over 16 years. I think I’ll wait and check mail chimp out later. I’ll send out this months announcements in batches from yahoo, like I’ve done for years. But I’m interested in finding out how to get around this in the future.
    Thanks

  • Hi, Bill,
    About the only thing you can do is sign with an aligning d= (outbound.scholarone.com or mail.manuscriptcentral.com respectively) and hope that the university isn’t doing any modification during the forward so the DKIM signature is valid and aligned.
    If the forwarded mail is really important, and you can’t DKIM sign (or the university is doing some body modification that breaks the DKIM signature) then you’ll need to step back to a p=quarantine or p=none.
    This is DMARC working as designed. Some people think that email is not, yet, in a place where every domain should be using p=reject by default. This is one of the examples of why those people think that way.

  • Not sure how this happened, but there is a link to an online gambling site in the middle of your post:
    In the section Why bring this up now?
    This means mail from Yahoo users not using the online slots for real money Yahoo outbound SMTP servers

  • Weird. It’s not in the post draft window, although I can see it in web inspector. I republished the page and it seems to be gone now.
    Thanks for the notice.

  • […] Yahoo users have been attacked by spammers, and Yahoo has been in the media quite a bit in regard to an attack where many yahoo.com email addresses were compromised. In an effort to protect their end users, they put this DMARC policy in place.  If you want the deep details, check this Monday, April 7 blog post from Laura Atkins, industry expert and co-founder of Word to the Wise:  https://wordtothewise.com/2014/04/brief-dmarc-primer/ […]

  • […] of email anti-spam consultancy firm Word to the Wise based in Palo Alto, California, also confirmed and documented the issue in a blog post. She believes that Yahoo began advertising a “reject” policy because of a recent attack against […]

By laura

Recent Posts

Archives

Follow Us