How popular is Yahoo Mail?

That's a question I get asked from time to time, so I figured this would be a good place to link to numbers.

As reported on CNET today: "The company said it has 110 [million] daily active email users, though that figure includes users on every device, including desktop computers. Yahoo would not break down the figures for mobile, but said its number of users has grown 15 percent over the last two quarters."

Google Groups rewriting from addresses to handle DMARC policy

Now that Yahoo and AOL have both implemented "p=reject" DMARC policies, Google has modified their Google Groups discussion group service to "play nice" with posts from subscribers at domains behind a restrictive DMARC policy.

If Google took no action with regard to Google Groups, whenever an AOL or Yahoo user tried to post to a Google Group, their post would be rejected by any ISP that rejects DMARC policy, including Comcast, Gmail, Yahoo and others.

The action they've taken looks like this: IF the post was submitted by a user at a domain that uses a restrictive ("p=reject") DMARC policy, THEN rewrite the from address so that the message is from "the list" instead of the person, AND add a reply-to header containing the original poster's email address.

The good: When you hit reply, your reply will go to the original poster, regardless of whether or not the from header was rewritten. Alternately, hit reply-all to reply to both the person and the list. The Google Groups user experience is essentially unchanged.

The bad: Some folks are saying this violates RFC 5322, which they claim says that the from address should (only) be the author of the message. It's not actually that strict-- it also says the from address can be the "system responsible" for the message. It also goes on to say that the from address "should not" be any address that doesn't belong to the message author. "Should not" has a specific definition in IETF parlance-- it allows for operational considerations to override initial guidance. Meaning, they admit there might be a reason you need to do something other than what they recommend.

The ugly: See how they're including the original poster's email address inside of the friendly from when they rewrite the email headers? I'd strongly recommend against this type of thing. It doesn't seem right to include an email address in a place where it can't be machine validated, and it potentially opens up subscribers to confusion down the road.

AOL Adopts New DMARC Policy

Today, AOL announced that they, too, have adopted a "p=reject" DMARC policy. The same considerations previously mentioned as applying to Yahoo Mail users now apply to AOL users as well.

In today's AOL postmaster blog post, Vishwanath Subramanian offers some solid advice on how to deal with this change:
In almost all cases, we recommend that you switch to sending mail from your own domain. You may also consider using AOL SMTP directly. 
For mailing lists, also known as listservs, we recommend configuring reply behavior to fill the From line with the mailing list's address rather the sender's and put the actual user / sender address into the Reply-To: line. Please also note that current "auto unsubscribe" logic based upon bounces might be too rigid until this change has been in place for a while. 
For website operators with 'share from email' functionality, please consider using an email address from your own domain as the From address and populate the Reply-To: line with the address of the person sharing.
Solid advice. Especially the guidance about mailing lists; it roughly mirrors my prior advice.

Beats the heck out of competing advice that said "just kick all the Yahoo users to the curb" when Yahoo implemented this change. If I were walking that line, I'd now have to kick out all AOL users. And then maybe Hotmail and Gmail users, too, if and when those other two big webmail providers followed suit.

Yahoo DMARC Policy Change Roundup

Surprise! Or was it? I've been warning for a while now that DMARC doesn't play nice with mailing lists. But really nobody, not even me, thought that a big ISP like Yahoo was going to publish a "p=reject" DMARC policy. Nonetheless, they did publish such a policy in early April, and depending on who you ask, either panic and chaos has ensued since, or we're in the first stages of a new "this is how it is" era of mail.

Here's a roundup of posts from me (and a few other folks) on the topic of Yahoo's recent DMARC policy change.
On April 7th, Laura Atkins of Word to the Wise posted "a brief DMARC primer" to help explain the technical concepts related to Yahoo's recent policy change and what this could mean for you.

Ask Al: Is my personal domain affected by DMARC?

All this talk about Yahoo's recent DMARC policy change got a friend to ask me about her domain name and whether or not this change has any impact on her.

Ellen asked me, "Does this mean anyone with a personal domain sending through an ISP who implements DMARC with a p=reject policy is going to have problems if they try to send mail to any recipient who checks DMARC?"

Yahoo DMARC Policy: Why they did it.

How dare Yahoo update their DMARC policy without warning the internet community of the potential fallout from doing so. At least, that's what some other folks have said. My take on it is more prosaic. I figure it's your domain name, you're free to do whatever you want with it. Initially, Yahoo made no statement, leaving us interested folks with nothing but our own speculation about why they've implemented this policy change. (They did later post a limited DMARC Help page and then also a more detailed statement explaining the change.) Here's my speculation.

How used the Yahoo! DMARC crisis to make a better Mailing List Manager

Yahoo's recent DMARC policy change didn't just break somebody's church list. It also caused problems for every single discussion group hosted by Chief Wrangler Dan Randow and his team didn't take that sitting down. They didn't cry, shake their fists at the heavens, or order t-shirts that said "YAHOO BROKE MY MAILING LISTS AND ALL I GOT WAS THIS LOUSY T-SHIRT." Instead, they quickly came up with and executed a plan, implementing product changes within two days to make their collaboration platform compatible with Yahoo's DMARC domain policy. What did they do and how did they do it? Click on through to learn more about it.

Who uses a Yahoo from address?

In the next chapter in the story of Yahoo's recent DMARC policy change, Andrew Barrett shares a snapshot of what percentage of an example email service provider's clients send mail via the ESP using a from address.

Run an email discussion list? Here's how to deal with DMARC

Yahoo's recent DMARC policy changes have made it so that Yahoo subscribers will now have trouble participating in old fashioned LISTSERV-style discussion lists. When a Yahoo user posts to your discussion list, very few subscribers will receive that message, because any ISP that respects DMARC policy will bounce that message. (And I believe that at least half of the top ten mailbox providers in the US now respect DMARC policy.)

Up in arms about Yahoo's DMARC Policy? You're not alone.

A few days ago, Yahoo updated their DMARC policy setting to "p=reject." What this means is, mail containing a Yahoo from address is basically no longer considered legitimate if it doesn't contain an authentication signature or if it didn't come from properly identified Yahoo infrastructure. (I'm oversimplifying things there, but bear with me; I think it's close enough for this discussion. Read more about it over at Word to the Wise.)

This effectively restricts Yahoo Mail users so that they can only send from their Yahoo email address when using the Yahoo Mail web user interface. For a big segment of regular joes, this may not ever be an issue. But for some people, this is a profoundly significant new restriction on what you can do with a Yahoo email address. Indeed, this change "brings the pain" for some, as Andrew Barrett explains over on the E-mail Skinny blog.

Payday Loans: Not Even Necessary

I have no problem helping a client address deliverability issues, even if their industry or politics encompass something I don't personally approve of.  My friend Mickey Chandler and I (who have very different political affiliations) have worked capably together to help address deliverability and compliance issues for various political senders on both sides of the US political spectrum.

But payday lending holds a special place in my (dark) heart.

Masking WHOIS Information: No for you

The WHOIS process and protocol isn't just some nerd thing that goes back a hundred years; it's a valuable public directory for savvy internet users to be able to identify who owns a given domain name. Spam and security investigators find it a valuable tool -- even if sometimes bad guys submit bogus details, commonality of information across domains allows them to paint a clearer picture of who is behind a bad act or how broad that bad act may be.