It can be a very frustrating thing to deal with. I've seen people complaining that "discussion lists worked just fine for the last 30 years, I shouldn't have to change anything!" And suggesting that Yahoo users be immediately expelled from every discussion list, or that those users be forced to change webmail providers. I don't think that's a very good way to handle it. One of the discussion lists I run has enough active users with Yahoo email addresses that I didn't think it was wise to do something that would effectively have me pick a fight with them, since it's not their fault that Yahoo implemented this policy. I don't know that I have the power, or will, to force them to have to migrate from Yahoo to Gmail or Outlook.com. (Besides, what if Google or Microsoft implement a similar DMARC policy tomorrow? Then I'd have to start all over again.)
Thus, I decided that the better path was to make modifications to my mailing list manager software to make it "play nice" with Yahoo's DMARC policy. Here's some of what I've done, and related considerations. I'm hoping readers might find my thoughts useful if they decide to make their own modifications.
- Disable or remove the existing DKIM signature. Your mailing list manager software was probably doing this already, because most lists add a footer, or a subject line tag or otherwise change headers in a way that would cause the existing DKIM signature to fail. Because I'm lazy, I just rewrite the original authentication headers, putting "X-" in front of them but leaving them in the message. They're hidden from the end subscriber by default, harmless, and yet still available for viewing if you need them for troubleshooting purposes.
- Identify potentially affected messages as they are submitted to the list. Check to see if a message submitted to the list came from a user at a domain with a "p=reject" DMARC policy. Because I'm lazy, I started with a static list of domains I know that are impacted: Yahoo.com, Ymail.com, Rocketmail.com. I'll update this soon to do a live DNS check to look at the DMARC policy for the domain used in a submitted message.
- If a submitted message is from a user at an affected domain, rewrite headers as follows:
- From address: Was "Al Iverson" <firstname.lastname@example.org> - should now be "Al Iverson via DISCUSSIONLIST" <email@example.com>
- Reply-to address: By default I choose to make this the list posting address. For these submitted messages from affected subscribers, I'm changing it to include both the list posting address and the email address of the original submitter: Reply-to: "DISCUSSIONLIST" <firstname.lastname@example.org>, "Al Iverson" <email@example.com> -- Yes, it's OK to have more than one address in the reply-to header, and no, the reply-to header is not affected by a DMARC policy.
- You could choose to make these header changes to all messages submitted, so that all messages to the list are received with consistently formatted headers. I've chosen not to do this, to minimize header changes to only when they're needed. Time will tell if this was the best choice, I guess.
April 12, 2014 Update: Yahoo has posted a statement explaining their rationale for this policy change, and they've also posted their suggestions for how senders should deal with this change.
April 13, 2014 Update: DMARC.org has updated their FAQ with regard to mailing list interoperability, including a draft requirements document for MLM Patches to Support Basic DMARC Compliance.