Updated: Email Senders Stymied By Yahoo’s Adoption Of Anti-Spoofing Measure

Note: since this story was originally published, we received a response from Yahoo regarding this change, and we have incorporated the additional information below.

Small businesses using Yahoo.com email addresses to send to their customers or prospects have run into significant trouble getting messages delivered this week, since Yahoo Mail instituted a security change that’s resulted in an untold number of bounces.

And the problem isn’t likely to be short-lived, as these bounces may result in recipients being removed from email lists entirely, due to their addresses’ bouncing. This could cause a serious amount of damage to the companies’ email lists, as they may lose a large percentage of subscribers inadvertently.

In a discussion thread on Yahoo Answers related to Yahoo Mail, one business owner complains:

I can’t receive orders from my website, and my customers can’t receive order confirmations and status updates. My site is clean, with no chance of spam, so why is this happening and how can I fix it?

It’s happening, according to email expert John Levine, because Yahoo over the weekend implemented a change that basically tells all recipients, including Hotmail, Gmail, AOL, etc., to reject any mail originating from a Yahoo.com address if it fails certain tests. In this case, the test is that the sender email address domain must match the domain of the server actually sending the email — which isn’t necessarily the case if people use mailing lists or other software to send email for them, rather than using the Yahoo.com STMP servers themselves.

So, the problem applies not only to small businesses but to anyone using a Yahoo.com sending address to participate in a mailing list that uses other servers.

In a discussion on the Internet Engineering Task Force’s email list — the IETF is a non-profit body that sets Internet technological standards — Levine said that this method of email authentication, called DMARC, works well for some situations, such as for large enterprises:

For other kinds of mail it works less great, because like every mail security system, it has an implicit model of the way mail is delivered that is similar but not identical to the way mail is actually delivered…. Mailing lists are a particular weak spot for DMARC. Lists invariably [sic] use their own bounce address in their own domain, so the SPF [sender policy framework] doesn’t match.

Indeed, based on online discussions, it appears plenty of businesses are sending email in a way that doesn’t comply with Yahoo’s new security policy. A couple of sample comments:

  • “I too have been having the same problem all morning from two sites I use as a realtor. Have never had an issue before. I just sent email to my office tech support to see if they know what is going on. Not able to get any property information to clients either.”
  • “We can not send e-contracts to clients and have spent hours working on a resolution.”

Here’s an example of headers in which the “from” address and sender authentication don’t match, with the email coming from mncompanionrabbit.org and the actual sending server being from email service provider Constant Contact:

Image used with permission of Laura Tessmer Atkins, co-founder of Word To The Wise email consulting firm.

Image used with permission of Laura Tessmer Atkins, co-founder of the Word To The Wise email consulting firm.

A Yahoo spokesperson confirms that the company has made the change, but won’t elaborate on whether it is considering reversing it: 

We are currently experimenting with an anti-abuse technology that helps us protect our users from phishing and spoofing attacks. As a result of this experiment, a small percentage of our users who use service providers external to Yahoo may experience issues. Affected users can visit our help page to learn more. We apologize for any inconvenience this may have caused.

In the meantime, Levine suggests that senders get a new non-Yahoo address to send mail from, and exhorts list managers to suspend posts from yahoo.com senders to limit the possible damage to the list. As a workaround, Levine says list managers who have source code for their software can “add a hack to check for yahoo.com From: addresses and change them to something like “Address redacted,” which will avoid triggering DMARC.”

Related Topics: Channel: Email Marketing | Email Marketing | Top News | Yahoo: Mail


About The Author: is executive features editor of Marketing Land and Search Engine Land. She’s a well-respected authority on digital marketing, having reported on, written about and worked in digital media and marketing for more than 10 years. She is a previous managing editor of ClickZ and has worked on the other side of digital publishing, helping independent publishers monetize their sites in her work at Federated Media Publishing.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • MarkMarkarian

    This is the final straw in my use of Yahoo. After 10 years, I just can’t afford to use them any more. In the past 12 months, I must have spent at least 50 hours working on Yahoo problems and I’ve had it.

    Congratulations Melissa, you’ve lost my 30 bucks a year and all the scanning you enjoyed from my Pop3 email account.

  • GoGoGoBigO!

    Great job of explaining the glitch! Maybe this was, last night, what kept my yahoo inbox from receiving the Craigslist acknowledgment and link to complete the validation of my posting to sell my Mercedes 300CD turbo…

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!