An Update on our DMARC Policy to Protect Our Users

By Jeff Bonforte, SVP of Communications Products

Today I did a search on “we never locked our doors” and here are some of the top results:

  • "…until the 1980’s."
  • "…when I was growing up."
  • "…because everybody knew everybody, and there was no crime…"
  • "…until about five years ago."
  • "…but now you have to make sure everything is locked up."

Similarly, when email was designed over 30 years ago, everyone knew everyone, there was no crime and no need to “lock the doors”.

The world has changed. So while email is an essential tool for business and personal life, it is also the focus for some of those who endeavor to do us harm. The new normal across the web can include massive attempts at account hacking, email spoofing (forging sender identity) and phishing attacks (tricking a user to give up account credentials).

The doors to your inbox need another lock.

Because of the rise of spoofing and phishing attacks, the industry saw a need over two years ago to require emails to be sent more securely and formed an organization, including Yahoo, Google, Aol, Microsoft, LinkedIn, and Facebook, to work out a solution. The organization designed and built something called DMARC, or Domain-based Message Authentication, Reporting and Conformance. Today, 80% of US email user accounts and over 2B accounts globally can be protected by the DMARC standard.

On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.

Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.

And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.

There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.

As we said at the start of post, for better or for worse, times have changed. We can no longer allow this massive security hole to remain for our customers and we believe the solution is simple - Yahoo requires external email service providers, such as those who manage distribution lists, to cease using unsigned “sent from” mail, and switch to a more accurate “sent on behalf of” policy. We know there are about 30,000 affected email sending services, but we also know that the change needed to support our new DMARC policy is important and not terribly  difficult to implement. We have detailed the changes we are requiring here.

Already, many of the most popular mail services had made the necessary changes. For example, you can read the Tuesday blog post from MailChimp to its customers and positive feedback from Twitter as well.

Another email service provider blogged, “it likely won’t be long before all ‘from themselves, but not from themselves’ emails are treated with the same scrutiny [as Yahoo] by other webmail services.”

With stricter DMARC policies, users are safer, and the bad guys will be in a tough spot. More importantly, verified senders will unlock a massive wave of innovation and advancement for all our inboxes.

We have listed some useful resources where you can learn more about these important steps.

- DMARC

- DKIM

- SPF