Up in arms about Yahoo's DMARC Policy? You're not alone.

A few days ago, Yahoo updated their DMARC policy setting to "p=reject." What this means is, mail containing a Yahoo from address is basically no longer considered legitimate if it doesn't contain an authentication signature or if it didn't come from properly identified Yahoo infrastructure. (I'm oversimplifying things there, but bear with me; I think it's close enough for this discussion. Read more about it over at Word to the Wise.)

This effectively restricts Yahoo Mail users so that they can only send from their Yahoo email address when using the Yahoo Mail web user interface. For a big segment of regular joes, this may not ever be an issue. But for some people, this is a profoundly significant new restriction on what you can do with a Yahoo email address. Indeed, this change "brings the pain" for some, as Andrew Barrett explains over on the E-mail Skinny blog.


There are three areas of impact to consider.

Yahoo Mail users can no longer easily sign up for or participate in email discussion lists. Your typical old fashioned Listserv and mailman lists rewrite headers and re-send the message from the mailing list server, instead of from the server where the message initially started from. That means Yahoo users posting to mailing lists run afoul of this new restriction and their list posts are likely to be rejected by most of the ISPs of most of the subscribers. This means that if you're a Yahoo Mail subscriber and you post to an email discussion list, very few of the other subscribers on that list are going to see your post.

Workarounds exist; and you'll probably see more about them in the near future. I run a few mailing lists myself, on a custom mailing list management application that I wrote myself. It took me a couple of hours of hacking, but I've now modified that software to rewrite headers if needed, when a Yahoo or other DMARC policy-affected user posts. Early indications are that this is working fine, and I won't have to boot my valued Yahoo-using subscribers anytime soon.

I'm apparently not the only person to have considered this type of workaround. Mailman version 2.1.16 now has a new "from_is_list" setting to allow rewriting the from address to address this issue.

Email Service Providers (ESPs) providing service to smaller organizations and their clients are now seeing much higher bounce rates.  Manager of ISP Relations Tara Natanson explains more about why that is over on the Constant Contact blog. See, smaller organizations often don't have their own domain name, they just have a regular email address at a regular webmail provider or ISP. And a lot of them have Yahoo email addresses. That means that ESPs have some subset of clients trying to send mail via the ESP to their subscribers with a from address containing a Yahoo mail domain. Due to the new "p=reject" policy, lots and lots of that ESP-served mail is going to bounce. That's really bad news for those particular clients of an ESP. (And it affects all ESPs; not just Constant Contact.)

You'll start to see fixes for that very soon. For starters, ESPs are likely going to recommend that you don't use a free email address for your from address. Justin Premick from Aweber posted something to that effect very recently. And I suspect you'll see some ESPs implement changes like updating their user interface to disallow certain types of from addresses, or offering up free subdomains to clients so that they can stop referencing their Yahoo address in their from address, even if they're not savvy enough to purchase their own domain name.

Email Service Providers (ESPs) focusing on larger, enterprise clients are less likely to be impacted by this issue. Most of their clients likely have their own domain name, perhaps even a sub-domain or domain name already dedicated for use at the ESP. But it's still important to be aware of this limitation, because it highlights the potential for unforeseen consequences when implementing a DMARC policy setting.

And finally, users who have a Yahoo email address but use a desktop email client like Thunderbird or Outlook may be impacted by this issue. If a user in this scenario is using their ISP's outbound mail server to deal with forwarding of outbound mail every time they send a new message, this too could fall afoul of Yahoo's policy restriction. I consider this a very "old school" use case -- I can't find anybody I know in the real world who uses email in this fashion any longer. Also, Yahoo, Hotmail/Outlook and Gmail all offer their own outbound SMTP server for their users to utilize. So there's probably been no need to use a local ISP's outbound SMTP server with your webmail account for many years now. And when you set up any of these accounts on your fancy iPhone or Android device, it is linking you up to the webmail's servers directly, so there's no additional ISP mail server to have to route messages through. Really, I think this one is a non-issue.

1 comments:

Royce said...

Al, thanks for the Mailman breadcrumbs - very helpful. There's a little more discussion of the implications of using ALLOW_FROM_IS_LIST on the Mailman wiki here:

http://wiki.list.org/pages/viewpage.action?pageId=17891458