BLOG

Yahoo Statement on DMARC policy

Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail.

On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.

Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.

And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.

There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.

Given the effectiveness of this policy, I would not be surprised to see other free mail providers (Gmail, Hotmail, AOL) or other ISPs to adopt this policy in the coming months. This is a shift in how many of us are used to using email, particularly personal email. But, as Yahoo says, times have changed and it’s time to take those painful actions that will increase our security.

In addition to making a public statement, Yahoo also published a number of things that senders (i.e., email intermediaries) can do to still handle email from Yahoo addresses as they are sent through different infrastructures. Many of these recommendations for senders are things that are already in process at most ESPs and mailing lists.

This seemingly simple policy statement is a revolutionary step in addressing issues of forgery and spam that many people have been discussing and arguing about for more than 10 years. This is a painful change for many people, Yahoo and non-Yahoo users alike. Luckily, the internet community has stepped up and implemented the changes that will make mail work even with a restrictive policy like p=reject. Now that mailing lists and ESPs are taking the steps to accommodate this policy change I expect to see other ISPs follow Yahoo’s lead and start publishing p=reject policies. Luckily for them Yahoo was first, so the impact on their users and mailing list managers should be much lower than we’ve been dealing with the last week.

7 comments

  1. Bob Richard says

    There was apparently no advance warning from Yahoo that this was going to happen. So, yes, there are things that email list services can do, but they might take weeks to implement properly. Shouldn’t Yahoo have given everyone a month or so advance notice?

  2. CM Conkle says

    Thanks to this silly policy, I was unsubscribed from several rootsweb mailing lists, being a genealogist this is a large pain. You’re not helping anyone by this.

  3. P. Cobbs says

    Every email I send is now coming back to me because of yahoo’s new DMARC policy. What can be done to correct this. I am not sending a mailing list; this is my personal email.

  4. Bob Richard says

    P. Cobb, is your email program sending through another mail server rather than through Yahoo’s mail server? The most common reason for this would be that you are using your Yahoo email address but sending through your own local ISP. Yahoo no longer allows that. If this is the problem, then you can use Yahoo’s webmail interface, and/or look up instructions on setting up your email software in Yahoo’s help pages.

  5. P Cobbs says

    On my PC and my MAC laptop that would be the case but not so on my iphone or ipad. I tried changing to use Yahoo’s smtp but that doesn’t work either. Now the only way I can access yahoo mail is on the web which to me is unacceptable. I have now forwarded my yahoo mail to my gmail account and in the mean time I am changing my mail address with various accounts.

  6. Michael Gamble says

    My version of the impact to Yahoo’s DMARK change is that it is all Yahoo. Case in point: I send from my Yahoo id from its web site to a small list, about 30. All save one goes through. It’s domain is swbell.net. Since I can send directly to this, the problem stems from Yahoo’s own mail server which should know that I am sending from Yahoo. Have not found any help to correct this.

    1. Patricia Cobbs says

      I certainly agree that it is all Yahoo but goes beyond the DMARC policy. Whatever they did when they changed their setting affected more than just sending mail from Yahoo. I have never been able to get my mail straightened out with them and the issue has been escalated twice. I have now become so disenchanted with Yahoo. that I closed my website (will probably look for another host) and have shifted the majority of my mail to my gmail account – traveln2c@gmail.com

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives