Updates to Yahoo’s DMARC Reject Policy
Yahoo announced on Monday, beginning March 28, 2016, they will update 62 international Yahoo domains with a DMARC reject policy. These are in addition to the existing three domains that have already had a reject policy since 2014: yahoo.com, rocketmail.com, and ymail.com.
Further information and support can be found on the Yahoo DMARC Policy help page or by working with your Return Path Account Manager.
The list of international Yahoo domains affected by this change are:
First, let me touch on why Yahoo made this change. The reason is spoofing–cybercriminals hack into user accounts and scrape the address book (i.e. they copy it). Spoofing happens at all mailbox providers, not just Yahoo. Then they use a different server to spoof messages from that user to the user’s own contacts. Have you ever received an email from a friend with only a URL inside? Chances are if you looked carefully, that message didn’t come from your friend but was spoofed. The spammer sent the message from his own server and made it look like it came from your friend.
In April 2014, Yahoo became the first major mailbox provider to publish a DMARC reject policy. For those of you not familiar with DMARC or reject policies, this means Yahoo put a line of text in their DNS record telling mailbox providers to reject any Yahoo domain mail that doesn’t come from Yahoo’s servers. This is big news and has a big impact. To determine the impact this may have on your email program, let me explain why it’s such big news.
Spoofing is bad for the mailbox provider on a number of levels. First, the mailbox provider looks bad because it appears that they sent spam. This causes a brand trust issue. Second, since the cybercriminals can spoof mail from end users at this mailbox provider, they are more likely to try to hack user accounts and scrape the address books, which means user security is at risk.
With a DMARC reject policy Yahoo tells the mailbox provider, “if you see mail from a Yahoo user, but we didn’t send it, please do not deliver it.” This policy only has an impact on mailbox providers who look at DMARC policies. But this is a growing list including: Comcast, Gmail, Outlook, AOL, and Yahoo themselves—we’re talking billions of mailboxes that will no longer receive spoofed mail from Yahoo.
Sounds Like a Big Win, Right?
If you’re Yahoo, there is a significant benefit to taking this action. It helps restore brand trust. Yahoo protects its users from spoofing and the resulting embarrassment. Hackers are less interested in stealing the user’s address books since they can’t spoof the mail, therefore Yahoo users are less of a target which is a win for user security. According to Jeff Bonforte, SVP of Communications Products at Yahoo, (Yahoo Mail Tumblr site), “overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
So What’s the Downside? There is Always a Downside.
The downside is a lot of people (and even organizations) on the Internet send mail from their own Yahoo account but not through Yahoo’s servers. Examples of this include a small business who sends mail through their hosting company using their Yahoo domain; Email Service Providers (ESPs) who have customers using Yahoo domains, and mailing lists. Many mailing lists use the email address of the list member but send through the mailing list domain.
Many people are unable to send their Yahoo mail and don’t know why (to Gmail, Outlook.com, Yahoo, etc.). On a recent radio program, the host said she was unable to send mail because the Heartbleed vulnerability caused her mail at Yahoo to bounce. I had to call and tell her it was not related to Heartbleed at all, and that she could no longer send her Yahoo mail from her small business domain.
If You’re a Return Path Customer, How Does This Affect You?
As long as Yahoo keeps their DMARC reject policy in place (and there is no indication they will remove it), you can no longer send mail using your Yahoo address unless you send the mail directly from Yahoo. Fortunately, it’s easy to set up your own domain and use that in your email address. The good news is, this has added benefits to you, as you’ll be able to build up your own domain reputation.
If you administer a mailing list, you’ll need to instruct your list members not to sign up for your list using a Yahoo account. If you have friends and family who have trouble sending mail from their Yahoo accounts, find out if they are sending their mail from outside Yahoo. If so, that’s the issue, and it won’t go away. They will not be able to send their Yahoo email from other services.
For more information on how this might impact you and recommended actions, see Yahoo’s post, “Yahoo DMARC Policy Change – What Should Senders Do?”
About Christine Borgia
As Senior Director of Data Support, Christine ensures that Return Path's employees, customers, and consumers are able to get the answers they need about our data and data sources. Prior to joining Return Path, Christine spent seven years fighting spam for AOL where she led a team of content filtering and IP reputation experts. Connect with her on Twitter @christineborgia or at linkedin.com/in/christineborgia.