Yahoo's recent DMARC changes and how that impacts senders

Update April 12, 2014: Yahoo has confirmed the DMARC change in an official statement. There appear to be no plans to revert this change. If you're using in your from address, it's advised that you use an alternate 'from' email domain. For now, a private domain or other free email provider will work, though a private domain is preferable since other free email providers may follow Yahoo's lead.

Update April 22, 2014: AOL has announced changes to their DMARC policy as well, so you'll want to use alternatives for AOL addresses in the 'from' field as well.

Late last week, Yahoo! quietly made a dramatic change to the DMARC policy for that impacts senders who use services like Mandrill or independent mailing lists to send 'from' addresses. Yahoo hasn't indicated exactly why they made this change, but it may signal other changes from email providers that are yet to come.

What's happening

If you're sending through a service like Mandrill, you can generally use your own email address as the 'from' email address. For site and app owners, this is usually an address on their domain. For some use cases, though, the 'from' address might be a personal email address like a Gmail or Yahoo address. Email's generally designed to allow this - you can send 'from' an email address through any server on the internet.

Of course, nefarious folks use this to send phishing or spam emails that look like they're coming from someone reputable. The original email protocol wasn't designed with this type of behavior in mind, so doesn't stop this type of thing at the protocol level (ie, the protocol doesn't have a way of verifying you are who you say you are). As this type of behavior has become more prevalent, authentication mechanisms have been layered on top of the existing email protocol (read more about authentication in the Mandrill KB).

Yahoo recently made a change in the authentication policy for that is resulting in bounces for some senders. This specifically occurs if you're sending from email addresses, but aren't sending directly through Yahoo's servers. So if you're using Mandrill, another ESP, or mailing list providers that accept mail and then distribute it to the list members, and have the 'from' address set to an address, you might be seeing increased bounces over the past several days due to policy reasons.

For a breakdown of the technical changes Yahoo made, Word to the Wise has a great DMARC primer that explains the changes.

Why make this change

So far, Yahoo hasn't made any information public about this change.* There's some speculation that it's an attempt to stop targeted phishing attacks where attackers are sending 'from' someone's address in an attempt to get information to compromise the Yahoo account. If the rationale is this specific, it's possible the change could be temporary.

As the owner of the domain, it's definitely within Yahoo's purview to make this kind of change - they can tell the world that emails from need to come from Yahoo's servers to be considered legitimate. This is the type of change that providers would typically notify users of, especially since there are a lot of logical (and not evil) reasons for people to be sending 'from' addresses outside of Yahoo's network.

More broadly, most people unfamiliar with the guts of email technology probably aren't even aware that someone can send 'from' their email address using any server on the internet. For users of free mail services like Yahoo, they may be (implicitly) relying on Yahoo to make sure that someone else can't use their email address for terrible things. Yahoo might be willing to cause some disruption for the users legitimately sending outside of their system in favor of protecting those who didn't even know that was possible.

So far, this change only impacts Yahoo, and specifically addresses, but like others in the industry, we'll be monitoring for other changes. In the past, Yahoo's made some decisions surrounding their email product and had to make changes to respond to public criticism, so Yahoo users adversely impacted by this change may benefit by letting Yahoo support ( know.

What should you do if you're sending from Yahoo addresses?

In short: don't, for now. The best way to prevent bounces from this change is to stop sending with as the 'from' address unless you're sending directly through Yahoo's servers. This eliminates the problem since you're not using a address and will help ensure your emails can be delivered.

If you're sending on behalf of your users or others who have addresses, you'll want to change your emails to be sent 'from' a non-Yahoo address (probably your domain) with reference to the original sender's address in the body. You can also set the 'Reply-To' header to include the original user's Yahoo address if replies should go to them instead of you.