Yahoo Statement on DMARC policy

Y

Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail.

On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.
There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.

Given the effectiveness of this policy, I would not be surprised to see other free mail providers (Gmail, Hotmail, AOL) or other ISPs to adopt this policy in the coming months. This is a shift in how many of us are used to using email, particularly personal email. But, as Yahoo says, times have changed and it’s time to take those painful actions that will increase our security.
In addition to making a public statement, Yahoo also published a number of things that senders (i.e., email intermediaries) can do to still handle email from Yahoo addresses as they are sent through different infrastructures. Many of these recommendations for senders are things that are already in process at most ESPs and mailing lists.
This seemingly simple policy statement is a revolutionary step in addressing issues of forgery and spam that many people have been discussing and arguing about for more than 10 years. This is a painful change for many people, Yahoo and non-Yahoo users alike. Luckily, the internet community has stepped up and implemented the changes that will make mail work even with a restrictive policy like p=reject. Now that mailing lists and ESPs are taking the steps to accommodate this policy change I expect to see other ISPs follow Yahoo’s lead and start publishing p=reject policies. Luckily for them Yahoo was first, so the impact on their users and mailing list managers should be much lower than we’ve been dealing with the last week.

About the author

7 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • There was apparently no advance warning from Yahoo that this was going to happen. So, yes, there are things that email list services can do, but they might take weeks to implement properly. Shouldn’t Yahoo have given everyone a month or so advance notice?

  • Thanks to this silly policy, I was unsubscribed from several rootsweb mailing lists, being a genealogist this is a large pain. You’re not helping anyone by this.

  • Every email I send is now coming back to me because of yahoo’s new DMARC policy. What can be done to correct this. I am not sending a mailing list; this is my personal email.

  • P. Cobb, is your email program sending through another mail server rather than through Yahoo’s mail server? The most common reason for this would be that you are using your Yahoo email address but sending through your own local ISP. Yahoo no longer allows that. If this is the problem, then you can use Yahoo’s webmail interface, and/or look up instructions on setting up your email software in Yahoo’s help pages.

  • On my PC and my MAC laptop that would be the case but not so on my iphone or ipad. I tried changing to use Yahoo’s smtp but that doesn’t work either. Now the only way I can access yahoo mail is on the web which to me is unacceptable. I have now forwarded my yahoo mail to my gmail account and in the mean time I am changing my mail address with various accounts.

  • My version of the impact to Yahoo’s DMARK change is that it is all Yahoo. Case in point: I send from my Yahoo id from its web site to a small list, about 30. All save one goes through. It’s domain is swbell.net. Since I can send directly to this, the problem stems from Yahoo’s own mail server which should know that I am sending from Yahoo. Have not found any help to correct this.

  • I certainly agree that it is all Yahoo but goes beyond the DMARC policy. Whatever they did when they changed their setting affected more than just sending mail from Yahoo. I have never been able to get my mail straightened out with them and the issue has been escalated twice. I have now become so disenchanted with Yahoo. that I closed my website (will probably look for another host) and have shifted the majority of my mail to my gmail account – traveln2c@gmail.com

By laura

Recent Posts

Archives

Follow Us