Updated: Email Senders Stymied By Yahoo’s Adoption Of Anti-Spoofing Measure
Note: since this story was originally published, we received a response from Yahoo regarding this change, and we have incorporated the additional information below.
Small businesses using Yahoo.com email addresses to send to their customers or prospects have run into significant trouble getting messages delivered this week, since Yahoo Mail instituted a security change that’s resulted in an untold number of bounces.
And the problem isn’t likely to be short-lived, as these bounces may result in recipients being removed from email lists entirely, due to their addresses’ bouncing. This could cause a serious amount of damage to the companies’ email lists, as they may lose a large percentage of subscribers inadvertently.
In a discussion thread on Yahoo Answers related to Yahoo Mail, one business owner complains:
I can’t receive orders from my website, and my customers can’t receive order confirmations and status updates. My site is clean, with no chance of spam, so why is this happening and how can I fix it?
It’s happening, according to email expert John Levine, because Yahoo over the weekend implemented a change that basically tells all recipients, including Hotmail, Gmail, AOL, etc., to reject any mail originating from a Yahoo.com address if it fails certain tests. In this case, the test is that the sender email address domain must match the domain of the server actually sending the email — which isn’t necessarily the case if people use mailing lists or other software to send email for them, rather than using the Yahoo.com STMP servers themselves.
So, the problem applies not only to small businesses but to anyone using a Yahoo.com sending address to participate in a mailing list that uses other servers.
In a discussion on the Internet Engineering Task Force’s email list — the IETF is a non-profit body that sets Internet technological standards — Levine said that this method of email authentication, called DMARC, works well for some situations, such as for large enterprises:
For other kinds of mail it works less great, because like every mail security system, it has an implicit model of the way mail is delivered that is similar but not identical to the way mail is actually delivered…. Mailing lists are a particular weak spot for DMARC. Lists invariably [sic] use their own bounce address in their own domain, so the SPF [sender policy framework] doesn’t match.
Indeed, based on online discussions, it appears plenty of businesses are sending email in a way that doesn’t comply with Yahoo’s new security policy. A couple of sample comments:
- “I too have been having the same problem all morning from two sites I use as a realtor. Have never had an issue before. I just sent email to my office tech support to see if they know what is going on. Not able to get any property information to clients either.”
- “We can not send e-contracts to clients and have spent hours working on a resolution.”
Here’s an example of headers in which the “from” address and sender authentication don’t match, with the email coming from mncompanionrabbit.org and the actual sending server being from email service provider Constant Contact:
A Yahoo spokesperson confirms that the company has made the change, but won’t elaborate on whether it is considering reversing it:
We are currently experimenting with an anti-abuse technology that helps us protect our users from phishing and spoofing attacks. As a result of this experiment, a small percentage of our users who use service providers external to Yahoo may experience issues. Affected users can visit our help page to learn more. We apologize for any inconvenience this may have caused.
In the meantime, Levine suggests that senders get a new non-Yahoo address to send mail from, and exhorts list managers to suspend posts from yahoo.com senders to limit the possible damage to the list. As a workaround, Levine says list managers who have source code for their software can “add a hack to check for yahoo.com From: addresses and change them to something like “Address redacted,” which will avoid triggering DMARC.”