Yahoo! Announces Help For Senders During Account Transition

Recognizing that their plan to reclaim unused usernames and make them available to new users has caused concern about personally identifiable information (PII) leaks among some senders, Yahoo! on July 15 announced in a blog post on their developer website support for a mechanism that will allow senders to take steps to guard against such leaks:

Reclaiming Yahoo! Usernames In A Way That’s Secure: Require-Recipient-Valid-Since

With the simple addition of a header to each message, a sender can "ask" Yahoo! to validate whether or not the account to which the message is sent has a new owner.  Yahoo! is encouraging "anyone using email to communicate with their users, especially for ecommerce and recovering their accounts, to adopt this measure to ensure the security of their users.

How Does It Work?

The referenced Yahoo! blog post links to an early draft of an RFC that explains all the details, but it's a fairly simple matter for senders. All they need do is insert a precisely formatted header in their mailings, and they can be as confident as possible that their mail is going to the person for whom it's intended at Yahoo!. The header should be on its own line, and the format looks like this:

Require-Recipient-Valid-Since: emailAddress; full timestamp with timezone

For example, if a sender has been mailing to the address johnsmith@yahoo.com since 7AM US/EST on February 1, 2012, the header would look like this:

Require-Recipient-Valid-Since: johnsmith@yahoo.com; Wed, 1 Feb 2012 07:00 -05:00

If the message arrives at Yahoo! and the account johnsmith@yahoo.com has not been reassigned since the date specified, Yahoo! will apply their normal delivery rules to the message; however, if the account has been reassigned, Yahoo! will reject the message.

Handling Rejected Messages

It's not entirely clear at this time what error code Yahoo! will return for messages which contain this header. The draft RFC indicates that the expected return code will be this:

550 5.1.6 followed by some text

which is the correct return code for this situation, as per RFC 3463. At the time of this writing, it's possible that Yahoo! may stick with their normal bounce code for inactive or unknown accounts:

554 5.0.0 followed by some text

as we discussed in this blog post. We believe senders should be prepared for both bounce codes, but will update this as we get more information.

Bottom Line For Senders

While it's still the responsibility of and the best practice for senders to remove bouncing addresses from their lists and to take further steps to ensure that they're only sending mail to engaged users, we applaud Yahoo! for taking this additional step to help senders clean up their mailing lists. We will petition other mailbox providers to consider supporting this new header (although widespread adoption may take some time, given the differences in system architecture that are out there), but at the same time we encourage senders to take seriously bounce codes that indicate that an address is not valid, and to remove it from their lists so as to avoid any potential problems that may occur from sending mail to accounts that don't belong to the right person.

One Last Thing

Based on a question received on  this blog post, we want to stress that for now, senders should only insert this header in mail sent to Yahoo!  Yahoo! is backing an effort to make this header a new Internet Standard, but until such time as it becomes one, and/or unless and until other mailbox providers specifically announce support for it, this header should only be used in mail sent to Yahoo!