DMARC’s (Un)intended Consequences: Why Yahoo is Bouncing Your Emails

Let’s get straight to the point. Over the weekend, possibly last Friday night, Yahoo changed a key DNS (domain name system) entry. The effect was brutal: It started bouncing out every email that said it was from a yahoo address, but had not been sent by a yahoo server.

So, if your email said it was from but was in reality sent by a third party, such as FeedBlitz (bear in mind this is not targeting FeedBlitz specifically, and is not a blacklisting; this applies to any third party service and I’m using us as an example), then if you sent your email over the weekend, it was bounced by Yahoo.

That’s bad, and it gets worse. It was also bounced by Gmail, because they are paying attention to the DNS record Yahoo changed, called a DMARC record. Bottom line: Your emails didn’t get through, if you specified your “from” address to be a Yahoo email.

They didn’t get routed to junk or the spam folder. They were bounced out and never accepted for delivery, if (to repeat ad nauseam) you specified your “from” address to be a Yahoo email account.

Getting Your Emails Through

We here at FeedBlitz want your emails to get through. That is, after all, our job. And, mission accomplished. As of 9am US eastern time today, we implemented a change to how we send emails so that they now WILL get through. If your mailings specify a Yahoo “From” address, FeedBlitz will override that to use our standard sending address instead. Replies to your emails will still go to the Yahoo email address you specified. This change will get your emails through to Yahoo, and also to Gmail and any other provider using DMARC as a filter.

Next Steps

Every publisher using a Yahoo “from” address will hear directly from us today with instructions as to how to change their settings. It’s going to be pretty easy, and won’t require you to deal with DNS settings or anything too techie, I hasten to add. You probably don’t have an IT function and setting up DNS records for SPF, SenderID, DKIM delegation and DMARC is not what you want to be spending time on right now. Longer term we will require every publisher to match the from address of their mailings with their site’s web domain — but not today.

Bottom Line

Your FeedBlitz emails will now get through again if you used a Yahoo from address, because now you won’t be accidentally triggering ISP anti-phishing and anti-spam filters. Yay!

The Techie Stuff

We all hate spam, right? Email is a great vehicle for communication, engagement — and so email is a very effective spam and phishing tool, too. Spammers and hackers know this, that’s why there’s so much junk around. To try to manage this, there exist a number of approaches that have been added on to Internet / SMTP email over time, with varying degrees of success. Most of the time, you should be blissfully unaware of these because they just work.

Here is where the alphabet soup comes in.

SPF, SenderID and DKIM are protocols that enable authentication (DKIM does more, but for the purposes of this post it’s the authentication aspect that matters). They all enable a receiver to determine whether an email that says it comes from domain A was sent by an email server authorized to send on behalf of domain A. This matters because good senders with good IP reputations (such as FeedBlitz) want to make sure that nobody pretends to send email from us. We authenticate with SPF, SenderID and DKIM. If a spammer tries to send an email that looks like it’s from FeedBlitz, but wasn’t really sent by us, it will fail the authentication test.

So far, so good. But SPF and its acronym cronies only go so far. They validate that the email came from an authorized server, or at least the server it said it came from, but that doesn’t necessarily make the email genuine. It certainly doesn’t ensure it is NOT spam.

You’re going “huh?” right now, aren’t you?

Let me see if I can explain.

Every email we send from FeedBlitz validates as being sent by us. We are an excellent, well-behaved sender, so the email should get through. But you can also change the “from” address (not the sender — we control that) to make the email seem to be from you in the recipient’s inbox. And that’s the problem. Although authentication verifies that we sent it, it says nothing about what you say about yourself in the rest of the email’s envelope, or the content of the email. This is what hackers take advantage of. They set the “From” email address to be yours to fool your friends, or to be that of your bank, to fool you. The email can still authenticated as really coming from the hacker’s server, but it’s still spam, phishing or a scam. Authentication, therefore, is only part of the anti-abuse solution.

Waiter, There’s an Email in my Acronym Soup

Enter DMARC. It tries to solve several problems for receivers and senders, but the piece we care about here is how it handles the kind of “From” address changes I was mentioning above, which we shall, for the sake of argument, call spoofing.

DMARC does not look at the sender (which is authenticated by SPF, DKIM etc.), but at the “From” address you specify. A domain owner can set up DMARC to say, in effect: “If the from address doesn’t align with the sender, regardless of whether the sender is authenticated or not, and regardless of the sender’s reputation, the email is de facto faked, do not accept it.”

Which is great for you and your bank, because now it’s easy for your ISP or your email app to figure out whether that email that purports to be from you, or from your bank, is really real or not.

Sounds great, right? No more phishing! Less crud to deal with. Smaller inboxes. Who wouldn’t want that?

Because that’s just what Yahoo did this weekend.

No Email for You

That DMARC change? The good, anti-spam, anti-phishing change Yahoo just implemented? It’s why your newsletter mailing had all those bounces. Your email was bounced this weekend by Yahoo and Gmail, amongst others, because Yahoo’s DMARC record now tells the whole world to reject all emails purporting to come from Yahoo that don’t authenticate as being sent by Yahoo.

It doesn’t matter that you’re using your Yahoo email account as the “From” address for your newsletter, Mrs. Mom and Pop Blogger.

It doesn’t matter that you’ve had that Yahoo address for years.

It doesn’t matter that you’ve been using it with FeedBlitz – or any other email service – for years.

It doesn’t matter how good your email service is, how wonderful your content, nor how scrupulous you’ve been about keeping your list clean.

It doesn’t matter at all.

If your mailing’s “From” address is using a Yahoo email address, and you used a third party service to send it, then as far as Yahoo and other ISPs are concerned, your email is now clearly and incontrovertably spam (or worse) and MUST be rejected. Not even routed to junk, nope, no sir. Rejected. Bounced. And this is exactly what Yahoo intended.

With this change, Yahoo has effectively abandoned IP and sender reputation as a front line filter, which I’m sure simplifies their lives, and I’m sure will stop some fraction of spam inbound to Yahoo dead. It sure sucks to be you, though, right? Because you’re the collateral damage. Your emails are being blocked as effectively as the scammers’. So DMARC’s good intentions – stopping fraud, phishing and protecting the gullible – have created a new kind of email hell for the rest of us.

Yahoo’s implementation is a brutal, naive, one size fits all approach. It’s hurting small businesses and solopreneurs. It’s hurting the kind of user who’s been loyal to Yahoo despite the availability of competing services, simply because they’re guilty of wanting to use their Yahoo email addresses on their newsletters. Yes, there will be less spam inbound to Yahoo. I guess they figure that the trade is worth it.

Yet, like clearing up a city neighborhood, though, all I fear they’re probably going to achieve is move the bad guys a couple of blocks over, which in this case means you should expect to see a rise in spam purporting to come from ISPs like Gmail and Hotmail / Live / Outlook. And that spam will head right back into Yahoo inboxes.

Practice Safe Mailing

No matter, though. FeedBlitz will be getting your email through from now on because the change I outlined above will simply avoid Yahoo’s DMARC filter. Long term, as a blogger, you simply need to make sure that your from address matches your blog’s domain (you do have your blog on your own domain, right? If not, do not pass go, go ahead and fix that ASAP. Like, now already). Since adding SPF and DMARC records is beyond the ken of most of us here on social media, that will do. You can relax.

Extra Courses at the Email Cafe

If you DO want to really bullet proof your mailings, and want to set up your DNS records to make sure that (a) your email always authenticates, (b) your email can’t be spoofed by a hacker or malware, and (c) you want to use a third party service like FeedBlitz to send your bulk mailings, stay tuned. I’ll go over all the tech changes you need to make in the coming days.

Otherwise, if you’ve been sending your email from a Yahoo address, you’re OK here at FeedBlitz. But no matter who you’ve been using to send it with, you should go to your list’s settings and change it to an address you control on your domain. After all, your “From” address should match your branding, and this is a great opportunity to make that happen.