Yahoo Statement on DMARC policy

Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail.

On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.
There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.

Given the effectiveness of this policy, I would not be surprised to see other free mail providers (Gmail, Hotmail, AOL) or other ISPs to adopt this policy in the coming months. This is a shift in how many of us are used to using email, particularly personal email. But, as Yahoo says, times have changed and it’s time to take those painful actions that will increase our security.
In addition to making a public statement, Yahoo also published a number of things that senders (i.e., email intermediaries) can do to still handle email from Yahoo addresses as they are sent through different infrastructures. Many of these recommendations for senders are things that are already in process at most ESPs and mailing lists.
This seemingly simple policy statement is a revolutionary step in addressing issues of forgery and spam that many people have been discussing and arguing about for more than 10 years. This is a painful change for many people, Yahoo and non-Yahoo users alike. Luckily, the internet community has stepped up and implemented the changes that will make mail work even with a restrictive policy like p=reject. Now that mailing lists and ESPs are taking the steps to accommodate this policy change I expect to see other ISPs follow Yahoo’s lead and start publishing p=reject policies. Luckily for them Yahoo was first, so the impact on their users and mailing list managers should be much lower than we’ve been dealing with the last week.

Dealing with DMARC for Mail intermediaries
The anatomy of From:

Related Posts

Fixing discussion lists to work with new Yahoo policy

Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy.
One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you’re not having to rewrite things that don’t need to be rewritten, but it will also mean you won’t be caught flat footed if (when?) other free mail providers start publishing p=reject.

Read More

Dealing with DMARC for Mail intermediaries

I’ve been getting some mail and calls from folks looking for help on resolving the issue of DMARC bouncing. Some of these calls are from ESPs, but others are from SAAS providers who have users that have signed up with yahoo.com addresses and are now dealing with mail from those users bouncing, even when mail is going back too those users.
None of the solutions are really great, but here are a couple options.
1) Prohibit users users from sending with @yahoo.com header-from addresses. This will be challenging for some companies for all sorts of reasons. I have seen a number of people suggest switching to @hotmail.com or @gmail.com addresses. This only works as long as Gmail and Hotmail/Outlook don’t start publishing p=reject policies. It’s unclear if they’re even considering this at all, but it may happen.
2) Rewrite the header-from address from @yahoo.com to something you control. One thing I’ve been suggesting to customers is set up a specific domain for rewriting, like @yahoo.ESP.com. This domain would need to forward mail back to the @yahoo.com users, which does add another layer of complexity as these addresses will become spam magnets. Thus the forwarding IP should be on a distinct and separate IP, to prevent interference with other systems. Note, too, that any users sending to these reply addresses from a domain protected by DMARC p=reject will bounce.
If you have questions or want to ask specifically about what to do in your setup, I’ve blocked out some time in my schedule next week for companies. If you want more information about this please contact me to for available times, information requirements and pricing.

Read More

A brief DMARC primer

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

Read More