Last year AOL and Yahoo curtailed massive email-borne abuse of their customers by deploying strict DMARC policies on their marquee domains. Recently Yahoo announced that they would be extending that policy to more of their domains as soon as November.
The adoption of these stricter DMARC policies in 2014 was immediately and highly effective, but had a negative impact on a small percentage of their users – and the lack of advance notice of the change caused complications for many ESPs, mailing list operators, and other email services. Presumably to avoid similar disruptions, among other reasons, on October 5th Yahoo shared their plans to apply the same kind of strict DMARC policies to two additional domains on November 2nd: ymail.com and rocketmail.com. And we can expect to see similar announcements for other Yahoo domains in the near future.
Those readers curious or concerned about these changes can review the knowledge base article on Yahoo’s DMARC policy, visit Yahoo’s Postmaster site, or read this Yahoo blog post from last year. If you operate a mailing list, or a similar service, you may want to read the answer to this frequently asked question.
In the Spring of 2014 malicious actors were sending phishing messages to millions of users around the world posing as people they knew with Yahoo accounts. This relationship data had been surreptitiously gathered prior to the phishing campaign, which was proving very effective as a result. In early April Yahoo decided the best way to protect both their users and their users’ contacts was to publish a strict DMARC policy, which would cause any message using the yahoo.com domain in the From: header – but without a corresponding cryptographic signature – not to be delivered.
As a Yahoo executive put it in a blog post at the time, “And overnight… phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.” It was so effective that AOL, faced with a similar situation later in the month, decided to enact the same sort of policy – with the same positive results.
While the benefits of immediately blocking millions of fraudulent email messages are clear, there were notable and unfortunate impacts. Many people sending messages using their AOL or Yahoo address from other providers’ infrastructures, interacting with mailing lists, and using other email-based services saw disruptions, sometimes for which there was no quick fix. While these uses account for a tiny percentage of email sent and received by AOL or Yahoo’s users, they are nevertheless long-standing practices and very important to those who rely on them.
For this reason the Internet Engineering Task Force (IETF) formed a working group in August of 2014 to address the use of DMARC with these indirect mailflows. Several methods of supporting these use cases are under development as of Fall 2015.