In recent weeks, Yahoo and AOL have made changes to their respective DMARC policies, and it is likely that other ISPs will follow suit in the near future.
This guide will attempt to answer any questions you may have about the changes, and provide insight on updating your outbound email strategy according to the new policies.
What is a DMARC policy?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC allows the owner of a domain to publish DNS records that indicate to recipient domains what should be done with messages that do not authenticate. In the words of John Levine, an author and consultant who has spent considerable time crafting DMARC standards:
“DMARC lets a domain owner make assertions about mail that has their domain in the address on the From: line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. The domain owner can also offer policy advice about what to do with mail that doesn’t have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS, in a TXT record at _dmarc.domain.”
Yahoo’s updated DMARC record; the “p=reject” segment indicates that the DMARC policy will reject and block messages from improperly authenticated or unauthenticated senders.
The Wikipedia article on DMARC policy also states the following:
“DMARC requires that a message not only pass DKIM or SPF validation, but that it also pass alignment. For SPF, the message must PASS the SPF check, and the domain in the From: header must match the domain used to validate SPF (must exactly match for strict alignment, or must be a sub-domain for relaxed alignment). For DKIM, the message must be validly signed and the d= domain of the valid signature must align with the domain in the From: header (must exactly match for strict alignment, or must be a sub-domain for relaxed alignment). Under DMARC a message can fail even if it passes SPF or DKIM, but fails alignment.”
What changes have been made?
Due to recent increases in security issues, AOL and Yahoo have both decided to require strict alignment between the From: header address and domain authentication. Email spoofing will no longer be permitted, and its use will result in the sender’s emails being blocked.
How will the new DMARC policies affect sending?
The only senders who will be affected by this change are those who use Yahoo or AOL email addresses in their From: headers and do not send directly through their respective SMTP servers.
Note: Yahoo’s DMARC update affects only @yahoo.com email addresses; @ymail.com and @rocketmail.com addresses are currently unaffected. In addition, many regional Yahoo servers are unaffected (e.g. yahoo.co.jp).
What can be done to resolve the issues?
At this point in time, we strongly recommend that affected clients consider switching to their own domain for outgoing email traffic. Switching to another free email provider such as Gmail or Hotmail will provide a temporary solution to the problem, but it is only a matter of time before other providers follow in the footsteps of Yahoo and AOL. Security breaches are becoming more and more widespread, so it only makes sense that more email providers will take precautions to protect their users. A custom domain will prevent future deliverability issues from cropping up when ISPs change their policies according to security needs.
If you need assistance setting up a new domain or email addresses, please feel free to contact our support team.
