All About Yahoo's DMARC Reject Policy

Two weeks ago today, Yahoo became the first major mailbox provider to publish a DMARC policy of reject. For those of you who are not familiar with DMARC and don’t know what a reject policy is, this means that Yahoo has a line of text in their DNS record telling mailbox providers (MBPs) to reject any mail from a Yahoo domain if it doesn’t come from Yahoo’s own servers. This was big news and had a big impact, and I’m going to briefly explain why, so you can determine if this has any impact on you.

First, let me touch on why Yahoo made this change. Cybercriminals hack into user accounts and scrape the address book (this is a fancy way of saying they copy it). This happens at all MBPs, not just Yahoo. Then the criminal uses a different server to spoof messages from that user to his own contacts. Have you received any email messages that came from a friend’s address and had only a URL inside? Chances are if you looked, that message didn’t actually come from your friend but was spoofed. What this means is the spammer sent the message from his own server and just made it look like it came from your friend.

This is bad for the MBP involved on a number of levels. First, it makes the MBP look bad because spam is being delivered that looks like it came from them. This is a brand trust issue. Second, since the cybercriminals can spoof mail from end users at this MBP, they are more likely to try to hack user accounts and scrape the address books, which means user security is at risk.

With the DMARC reject policy, Yahoo is saying “if you see mail from a Yahoo user, but we didn’t send it, please do not deliver it.” This policy will only have an impact at MBPs who look at DMARC policies, but that is a significant list – Comcast, Gmail, Outlook.com, AOL, and Yahoo themselves. We’re talking billions of mailboxes that will no longer receive spoofed mail from Yahoo.

Sounds like a big win, right?

If you’re Yahoo, there is a significant benefit to taking this action. It helps restore brand trust. Yahoo is protecting its users from being spoofed and the resulting embarrassment when their friends tell them to stop sending spam that they didn't really send at all. Hackers are less interested in stealing the user’s address book since they can’t spoof the mail, therefore Yahoo users are less of a target which can be considered a win for user security. Jeff Bonforte, SVP of Communications Products at Yahoo, posted to the Yahoo Mail Tumblr site that “overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.” 

So what’s the downside? There is always a downside.

The downside is there are a lot of people (and even organizations) on the Internet who send mail from their own Yahoo account but not through Yahoo’s servers. Examples of this would include a small business who sends mail through their hosting company using their Yahoo domain, Email Service Providers (ESPs) who have customers using Yahoo domains, and mailing lists. Many mailing lists use the email address of the list member but send through the mailing list domain.

There are many people having issues sending their Yahoo mail (to Gmail, Outlook.com, Yahoo, etc.) who are unable to send their mail and don’t know why. I was listening to a radio program where the host said she was unable to send mail because the Heartbleed vulnerability had caused her mail at Yahoo to bounce. Of course, I had to call and tell her that it was not related to Heartbleed at all, and that she could no longer send her Yahoo mail from her small business domain.

If you’re a Return Path customer, how does this affect you?

As long as Yahoo keeps their DMARC reject policy in place (there has been no indication that they will remove it), you can no longer send mail using your Yahoo address unless you send the mail directly from Yahoo. Fortunately, it’s easy to set up your own domain and use that in your email address. The good news is, this will have added benefits to you, as you’ll be able to build up your own domain reputation.

If you administer a mailing list, you’ll need to instruct your list members that they cannot sign up for your list using a Yahoo account.

If you have friends and family who are having trouble sending mail from their Yahoo accounts and are asking you about it because you work in email, find out whether they are sending their mail from outside Yahoo. If so, that’s the issue, and it won’t go away. They will not be able to send their Yahoo email from other services.

For more information on how this might impact you and recommended actions, see Yahoo’s post, “Yahoo DMARC Policy Change - What Should Senders Do?”