AOL Adopts New DMARC Policy

Today, AOL announced that they, too, have adopted a "p=reject" DMARC policy. The same considerations previously mentioned as applying to Yahoo Mail users now apply to AOL users as well.

In today's AOL postmaster blog post, Vishwanath Subramanian offers some solid advice on how to deal with this change:
In almost all cases, we recommend that you switch to sending mail from your own domain. You may also consider using AOL SMTP directly. 
For mailing lists, also known as listservs, we recommend configuring reply behavior to fill the From line with the mailing list's address rather the sender's and put the actual user / sender address into the Reply-To: line. Please also note that current "auto unsubscribe" logic based upon bounces might be too rigid until this change has been in place for a while. 
For website operators with 'share from email' functionality, please consider using an email address from your own domain as the From address and populate the Reply-To: line with the address of the person sharing.
Solid advice. Especially the guidance about mailing lists; it roughly mirrors my prior advice.

Beats the heck out of competing advice that said "just kick all the Yahoo users to the curb" when Yahoo implemented this change. If I were walking that line, I'd now have to kick out all AOL users. And then maybe Hotmail and Gmail users, too, if and when those other two big webmail providers followed suit.

Yahoo DMARC Policy Change Roundup

Surprise! Or was it? I've been warning for a while now that DMARC doesn't play nice with mailing lists. But really nobody, not even me, thought that a big ISP like Yahoo was going to publish a "p=reject" DMARC policy. Nonetheless, they did publish such a policy in early April, and depending on who you ask, either panic and chaos has ensued since, or we're in the first stages of a new "this is how it is" era of mail.

Here's a roundup of posts from me (and a few other folks) on the topic of Yahoo's recent DMARC policy change.
On April 7th, Laura Atkins of Word to the Wise posted "a brief DMARC primer" to help explain the technical concepts related to Yahoo's recent policy change and what this could mean for you.

Ask Al: Is my personal domain affected by DMARC?

All this talk about Yahoo's recent DMARC policy change got a friend to ask me about her domain name and whether or not this change has any impact on her.

Ellen asked me, "Does this mean anyone with a personal domain sending through an ISP who implements DMARC with a p=reject policy is going to have problems if they try to send mail to any recipient who checks DMARC?"

Yahoo Statement on new DMARC policy

Yesterday, Yahoo posted "an Update on our DMARC Policy to Protect Our Users." They've also posted "Yahoo DMARC Policy Change - What Should Senders Do."

(H/T: WTTW)

Yahoo DMARC Policy: Why they did it.

How dare Yahoo update their DMARC policy without warning the internet community of the potential fallout from doing so. At least, that's what some other folks have said. My take on it is more prosaic. I figure it's your domain name, you're free to do whatever you want with it. Initially, Yahoo made no statement, leaving us interested folks with nothing but our own speculation about why they've implemented this policy change. (They did later post a limited DMARC Help page and then also a more detailed statement explaining the change.) Here's my speculation.

How OnlineGroups.net used the Yahoo! DMARC crisis to make a better Mailing List Manager

Yahoo's recent DMARC policy change didn't just break somebody's church list. It also caused problems for every single discussion group hosted by OnlineGroups.net. Chief Wrangler Dan Randow and his team didn't take that sitting down. They didn't cry, shake their fists at the heavens, or order t-shirts that said "YAHOO BROKE MY MAILING LISTS AND ALL I GOT WAS THIS LOUSY T-SHIRT." Instead, they quickly came up with and executed a plan, implementing product changes within two days to make their collaboration platform compatible with Yahoo's DMARC domain policy. What did they do and how did they do it? Click on through to learn more about it.

Who uses a Yahoo from address?

In the next chapter in the story of Yahoo's recent DMARC policy change, Andrew Barrett shares a snapshot of what percentage of an example email service provider's clients send mail via the ESP using a Yahoo.com from address.

Run an email discussion list? Here's how to deal with DMARC

Yahoo's recent DMARC policy changes have made it so that Yahoo subscribers will now have trouble participating in old fashioned LISTSERV-style discussion lists. When a Yahoo user posts to your discussion list, very few subscribers will receive that message, because any ISP that respects DMARC policy will bounce that message. (And I believe that at least half of the top ten mailbox providers in the US now respect DMARC policy.)

Up in arms about Yahoo's DMARC Policy? You're not alone.

A few days ago, Yahoo updated their DMARC policy setting to "p=reject." What this means is, mail containing a Yahoo from address is basically no longer considered legitimate if it doesn't contain an authentication signature or if it didn't come from properly identified Yahoo infrastructure. (I'm oversimplifying things there, but bear with me; I think it's close enough for this discussion. Read more about it over at Word to the Wise.)

This effectively restricts Yahoo Mail users so that they can only send from their Yahoo email address when using the Yahoo Mail web user interface. For a big segment of regular joes, this may not ever be an issue. But for some people, this is a profoundly significant new restriction on what you can do with a Yahoo email address. Indeed, this change "brings the pain" for some, as Andrew Barrett explains over on the E-mail Skinny blog.

Payday Loans: Not Even Necessary

I have no problem helping a client address deliverability issues, even if their industry or politics encompass something I don't personally approve of.  My friend Mickey Chandler and I (who have very different political affiliations) have worked capably together to help address deliverability and compliance issues for various political senders on both sides of the US political spectrum.

But payday lending holds a special place in my (dark) heart.

Masking WHOIS Information: No Abuse.net for you

The WHOIS process and protocol isn't just some nerd thing that goes back a hundred years; it's a valuable public directory for savvy internet users to be able to identify who owns a given domain name. Spam and security investigators find it a valuable tool -- even if sometimes bad guys submit bogus details, commonality of information across domains allows them to paint a clearer picture of who is behind a bad act or how broad that bad act may be.

SpamAssassin 3.4.0 Released

The Apache Software Foundation just announced the release of SpamAssassin 3.4.0 via a message posted to the SpamAssassin announcements email list by project chair Kevin A. McGrail. Release notes menion that "this is a major release.  It introduces over two years of bug fixes and
features since the release of SpamAssassin 3.3.2 on June 16, 2011." To learn more, head on over to their website.

Gmail Oops

As reported over on the iDownload blog (and as mentioned to me by others), Gmail had a significant oops lately. Apparently, there was some system glitch that resulted in some actions (such as "delete" and "report spam" being applied to a message other than the one a user selected. Perhaps not all Gmail users were affected; I didn't receive the notification that other Gmail users have reported receiving.

In case you're curious, here's what the notification said:

Important Notice

You may have been impacted by a recent issue in Gmail that inadvertently caused some actions (e.g. delete, report spam) taken while viewing a message to be applied to a different message. The issue occurred between January 15 and January 22 and is now fixed.

We encourage you to check your Trash and Spam folders before February 14, 2014 for any items you did not intend to delete or mark as spam and move them back to your inbox. We apologize for any inconvenience.