Yahoo DMARC Policy Change Roundup

Surprise! Or was it? I've been warning for a while now that DMARC doesn't play nice with mailing lists. But really nobody, not even me, thought that a big ISP like Yahoo was going to publish a "p=reject" DMARC policy. Nonetheless, they did publish such a policy in early April, and depending on who you ask, either panic and chaos has ensued since, or we're in the first stages of a new "this is how it is" era of mail.

Here's a roundup of posts from me (and a few other folks) on the topic of Yahoo's recent DMARC policy change.
On April 7th, Laura Atkins of Word to the Wise posted "a brief DMARC primer" to help explain the technical concepts related to Yahoo's recent policy change and what this could mean for you.

Ask Al: Is my personal domain affected by DMARC?

All this talk about Yahoo's recent DMARC policy change got a friend to ask me about her domain name and whether or not this change has any impact on her.

Ellen asked me, "Does this mean anyone with a personal domain sending through an ISP who implements DMARC with a p=reject policy is going to have problems if they try to send mail to any recipient who checks DMARC?"

Yahoo Statement on new DMARC policy

Yesterday, Yahoo posted "an Update on our DMARC Policy to Protect Our Users." They've also posted "Yahoo DMARC Policy Change - What Should Senders Do."

(H/T: WTTW)

Yahoo DMARC Policy: Why they did it.

How dare Yahoo update their DMARC policy without warning the internet community of the potential fallout from doing so. At least, that's what some other folks have said. My take on it is more prosaic. I figure it's your domain name, you're free to do whatever you want with it. Initially, Yahoo made no statement, leaving us interested folks with nothing but our own speculation about why they've implemented this policy change. (They did later post a limited DMARC Help page and then also a more detailed statement explaining the change.) Here's my speculation.

How OnlineGroups.net used the Yahoo! DMARC crisis to make a better Mailing List Manager

Yahoo's recent DMARC policy change didn't just break somebody's church list. It also caused problems for every single discussion group hosted by OnlineGroups.net. Chief Wrangler Dan Randow and his team didn't take that sitting down. They didn't cry, shake their fists at the heavens, or order t-shirts that said "YAHOO BROKE MY MAILING LISTS AND ALL I GOT WAS THIS LOUSY T-SHIRT." Instead, they quickly came up with and executed a plan, implementing product changes within two days to make their collaboration platform compatible with Yahoo's DMARC domain policy. What did they do and how did they do it? Click on through to learn more about it.

Who uses a Yahoo from address?

In the next chapter in the story of Yahoo's recent DMARC policy change, Andrew Barrett shares a snapshot of what percentage of an example email service provider's clients send mail via the ESP using a Yahoo.com from address.

Run an email discussion list? Here's how to deal with DMARC

Yahoo's recent DMARC policy changes have made it so that Yahoo subscribers will now have trouble participating in old fashioned LISTSERV-style discussion lists. When a Yahoo user posts to your discussion list, very few subscribers will receive that message, because any ISP that respects DMARC policy will bounce that message. (And I believe that at least half of the top ten mailbox providers in the US now respect DMARC policy.)

Up in arms about Yahoo's DMARC Policy? You're not alone.

A few days ago, Yahoo updated their DMARC policy setting to "p=reject." What this means is, mail containing a Yahoo from address is basically no longer considered legitimate if it doesn't contain an authentication signature or if it didn't come from properly identified Yahoo infrastructure. (I'm oversimplifying things there, but bear with me; I think it's close enough for this discussion. Read more about it over at Word to the Wise.)

This effectively restricts Yahoo Mail users so that they can only send from their Yahoo email address when using the Yahoo Mail web user interface. For a big segment of regular joes, this may not ever be an issue. But for some people, this is a profoundly significant new restriction on what you can do with a Yahoo email address. Indeed, this change "brings the pain" for some, as Andrew Barrett explains over on the E-mail Skinny blog.

Payday Loans: Not Even Necessary

I have no problem helping a client address deliverability issues, even if their industry or politics encompass something I don't personally approve of.  My friend Mickey Chandler and I (who have very different political affiliations) have worked capably together to help address deliverability and compliance issues for various political senders on both sides of the US political spectrum.

But payday lending holds a special place in my (dark) heart.

Masking WHOIS Information: No Abuse.net for you

The WHOIS process and protocol isn't just some nerd thing that goes back a hundred years; it's a valuable public directory for savvy internet users to be able to identify who owns a given domain name. Spam and security investigators find it a valuable tool -- even if sometimes bad guys submit bogus details, commonality of information across domains allows them to paint a clearer picture of who is behind a bad act or how broad that bad act may be.

SpamAssassin 3.4.0 Released

The Apache Software Foundation just announced the release of SpamAssassin 3.4.0 via a message posted to the SpamAssassin announcements email list by project chair Kevin A. McGrail. Release notes menion that "this is a major release.  It introduces over two years of bug fixes and
features since the release of SpamAssassin 3.3.2 on June 16, 2011." To learn more, head on over to their website.

Gmail Oops

As reported over on the iDownload blog (and as mentioned to me by others), Gmail had a significant oops lately. Apparently, there was some system glitch that resulted in some actions (such as "delete" and "report spam" being applied to a message other than the one a user selected. Perhaps not all Gmail users were affected; I didn't receive the notification that other Gmail users have reported receiving.

In case you're curious, here's what the notification said:

Important Notice

You may have been impacted by a recent issue in Gmail that inadvertently caused some actions (e.g. delete, report spam) taken while viewing a message to be applied to a different message. The issue occurred between January 15 and January 22 and is now fixed.

We encourage you to check your Trash and Spam folders before February 14, 2014 for any items you did not intend to delete or mark as spam and move them back to your inbox. We apologize for any inconvenience.

Gmail: Reach the people you know more easily

On January 9th, Google announced that your Google+ contacts (people in your G+ circles) will now automatically show up as contacts inside of Gmail.

This isn't really a good thing, from my perspective. A lot of (OK, just about all of) my G+ connections are acquaintances or people who know me from the industry (many of whom I do not know personally). Making the ability to email in Gmail automatically visible to all of those folks feels like something akin a privacy violation. I don't really want to end up on somebody's huge CC list of forwarding some joke or political complaint. I think if folks want to contact me, they can go to my website and actually click on the contact me link.

I think this is auto contact enabling is a bad idea. If you agree and want to disable this new functionality, Consumerist explains how to do so: Go into "Settings" in your Gmail account, and under the "General" tab you will find an "Email via Google+" entry where you can change the setting so that "no one" of your Google+ contacts is automatically given the ability to send you email from inside of Gmail.