Yahoo DMARC Update 2016
Quick Answer
On 28 March 2016, Yahoo extended its strict DMARC reject policy from yahoo.com to roughly 50 lower-volume international domains (yahoo.at, yahoo.be, yahoo.bg, yahoo.cl, yahoo.co.id, yahoo.co.kr, yahoo.com.ph, yahoo.com.sg, yahoo.com.tw, yahoo.com.ua, yahoo.cz, yahoo.dk, yahoo.fi, yahoo.fr equivalents, yahoo.ie, yahoo.nl, yahoo.no, yahoo.pl, yahoo.se, the yahoogroups variants, and others). After that date, mail using any of those domains in the From-header that did not originate from Yahoo's own infrastructure was filtered or blocked. The fix for senders is to audit outbound mail streams for any From-address using a Yahoo international domain and switch to a 'friendly from' pattern, where the recipient's name or display string sits with a sending address on a domain you control (e.g., "Example User" <message@yourdomain.com>). Then publish your own DMARC policy so you are not the next sender broken by an inbox provider tightening enforcement.
You may already know that Yahoo.com has a DMARC policy in place that prevents mail with yahoo.com in the from address from being delivered if it is sent from outside Yahoo’s infrastructure.
Yahoo is expanding this policy to their lower-volume Yahoo international domains below on Mar 28, 2016.
The list of domains that will become unusable is as follows:
| y7mail.comyahoo.at yahoo.be yahoo.bg yahoo.cl yahoo.co.hu yahoo.co.id yahoo.co.il yahoo.co.kr yahoo.co.th yahoo.co.za yahoo.com.co yahoo.com.hr yahoo.com.my yahoo.com.pe yahoo.com.ph | yahoo.com.sgyahoo.com.tr yahoo.com.tw yahoo.com.ua yahoo.com.ve yahoo.com.vn yahoo.cz yahoo.dk yahoo.ee yahoo.fi yahoo.hr yahoo.hu yahoo.ie yahoo.lt yahoo.lv yahoo.nl | yahoo.noyahoo.pl yahoo.pt yahoo.rs yahoo.se yahoo.si yahoo.sk yahoogroups.co.kr yahoogroups.com.cn yahoogroups.com.sg yahoogroups.com.tw yahoogrupper.dk yahoogruppi.it yahooxtra.co.nz |
|---|
This means that messages using any of these domains as the from address which are _not_sent from Yahoo’s infrastructure will likely be filtered or blocked completely.
Things to Consider
Sending mail from external domains is more common than you might think. It’s a good idea to take a close look at all of your mail streams to ensure that you are not using these domains in any of your from addresses. If you are, you may have some work to do. Messages using these domains will likely stop delivering in the very near future. If your use case requires that you are able to identify the sender of the message, try experimenting with a “friendly from” instead of using their personal email address. A “friendly from” is when you use a name to appear as the from address, instead of the email address itself: exampleuser@yahoo.com can be sent as “Example User” <message@yourdomain.com>
Remember that Yahoo made these changes in the interest of keeping email safe and secure for everyone. After auditing your mail streams for outgoing messages using Yahoo domains, it would be a great idea to start working on your own DMARC policy. In the next few years we expect inbox providers to begin filtering senders that don’t have a DMARC policy protecting their domain. You will not regret being ahead of the curve on this.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.