Yahoo.com Changes DMARC Policy

UPDATE:  Yahoo Speaks Out About Recent Policy Changes

Over the last 48 hours the Yahoo.com domain has implemented a change in its DMARC policy. DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance” is an email authentication policy record that aims to prevent from address spoofing.

The change in the DMARC policy implemented by Yahoo means that any email message that uses a from address in the message headers of @yahoo.com must originate from Yahoo’s own mail servers. Messages sent through SocketLabs, or any other source outside of Yahoo using a @yahoo.com from address will be rejected by any mailbox provider that has implemented DMARC. This includes almost all major mailbox providers like Gmail, Outlook, AOL, Comcast and others.

This is a major change of security policy from Yahoo and came without any warning. It looks like only yahoo.com is affected as their other domains such as [ yahoo.co.uk ] and [ yahoo.fr ] do not have similar strict rejection polices. We do know that Yahoo has been under an ongoing attack in which malicious users are compromising accounts and sending unsolicited mail to that accounts’ contacts. While Yahoo blocked this mail from processing internally, this could be an attempt to prevent this mail from originating outside their network.

At this point in time Yahoo has not released any specific information about this change. Part of the DMARC standard allows Yahoo to receive reports about the mail they have blocked, so they are certainly aware of the disruption this is causing.  It is unclear at this time if this is a temporary stop-gap or a long term change in policy.

Customers encountering errors sending with a @yahoo.com from address will need to change the from address in order for messages to successfully process. There are no work arounds at this point in time that SocketLabs can provide. We will continue to monitor the status of this issue and provide further updates to this blog. Again, this is not a SocketLabs specific issue and will affect all email messages purporting to originate from a yahoo.com address that is not sent by Yahoo directly.

Here are some examples of the SMTP error codes you may see in your reports due to this change:

Gmail and Google Apps DMARC Error Code:

550-5.7.1 [X.X.X.X] Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. Please visit  http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for  more information. – gsmtp

Outlook/Hotmail/Live/MSN/Office365 DMARC Error Code:

550 5.7.0 (XXXX-XXX-XXX) Unfortunately, messages from (X.X.X.X) on behalf of (yahoo.com) could not be delivered due to domain owner policy restrictions.

Yahoo DMARC Error Code:

554 5.7.9 Message not accepted for policy reasons. See http://postmaster.yahoo.com/errors/postmaster-28.html

Comcast DMARC Error Code:

550 5.2.0 XXXXX Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001

AOL DMARC Error Code:

521 5.2.1 : (DMARC) This message failed DMARC Evaluation and is being refused due to provided DMARC Policy

Wondering about how Socketlabs’ DMARC tools work? Try our free DMARC Generator Tool to prevent address spoofing.

For more information about DMARC please see the official website at [ http://dmarc.org/ ]. Any further questions can be directed to SocketLabs Support Team: [email protected]