Yahoo! Tells Congress DMARC Policy Eliminated 90% of Phony Yahoo.com Spam

Anyone wondering why Yahoo! recently decided switch to a DMARC reject policy got a pointed answer from CISO Alex Stamos last week: He testified before a congressional subcommittee on Thursday that the policy “reduced spam purported to come from yahoo.com accounts by over 90%.” Stamos added, “If used broadly, [DMARC] would target spammers’ financial incentives with crippling effectiveness.”

Yahoo’s decision essentially tells mailbox providers to block any unauthenticated mail appearing to come from a yahoo.com address. Stamos discussed DMARC and the measures that Yahoo! takes to protect consumers from email abuse and associated security risks during a hearing led by U.S. Senators John McCain (R-AZ) and Carl Levin (D-MI), “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.” The subcommittee also heard testimony from Craig Spiezle, executive director of the Online Trust Alliance (OTA), who warned that commercial brands without proactive policies to safeguard consumers’ security and privacy place broad swaths of the internet economy at risk, stressing that “trust is the foundation of every communication we receive, every web site we visit, every transaction we make and every ad we view.”

As a founding member of DMARC.org and an active member of the OTA, Return Path has played a central role in the effort to fight email abuse and raise awareness of the danger it represents to brands and consumers. As an email security provider we routinely see examples of large organizations successfully protecting users and themselves from threats such as phishing attacks. Earlier this month we helped a major financial services provider use DMARC to diagnose and stop a coordinated attempt to distribute malware under its name. By immediately quarantining the unauthenticated messages, sent from more than 5,600 IP addresses through a typical botnet attack, the company prevented nearly one million people from receiving email designed to infect their systems and compromise their privacy and security.

DMARC works. Progressive companies are embracing technology like this to keep their customers, their businesses, and the entire online community safe from email abuse. Public success stories like Yahoo’s and private ones like our clients’ prove that the fight to protect email from fraud is winnable. As lawmakers and consumers pay closer attention to who’s taking action and what they’re doing to maintain trust in online communication, marketers should step up and lead the effort.

If you haven’t implemented DMARC or email authentication, please find out what you need to do today to protect your brand and your customer relationships. You can find more information here, or you can contact Return Path to learn how to get started.