Recently, two major league ISPs made a policy update to their email authentication, and it has got all us marketers in a tizzy! Yahoo! and AOL raised some eyebrows when they changed their DMARC Validation in a super aggressive way in an attempt to block email spoofing attacks on yahoo.com and aol.com addresses. Their intent was honorable, but this policy change could end up rejecting your email campaigns, even if you’re a legitimate sender!
What the heck is DMARC anyway?
DMARC stands for "Domain-based Message Authentication, Reporting & Conformance” and it allows domain owners to publish policy statements in DNS telling receiver domains what to do with messages that don’t authenticate. On its official website, DMARC is described as standardizing "how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.”
Below is a nifty diagram from DMARC.org breaking down the process of sending an email from point A to point B:
This is a screen capture from DMARC.org's website.
Before Yahoo! and AOL’s policy update, it was A-Okay to have your ‘from address’ be different than the sender server address. As email marketers, our sender’s domain is almost always different than our “from address” domain because we utilize a third-party service like an Email Service Provider (ESP) to send our mailing campaigns. For example, if we sent an email campaign through Campaign Monitor but used a Yahoo domain as our “from address,” it would look a little something like this:
- “From Address:” firstname.lastname@example.org
- Sender Server Address: email@example.com
As the domains above do not match up, Yahoo would automatically reject this email send based off of their new policies.
Domain owners can use a DMARC policy setting called “p=" to tell receiving email servers what should happen if the DMARC check fails. AOL and Yahoo! changed their DMARC policy to p=reject if the “from address” domain and “sender domain” do not match. Most other ISPs, such as Gmail, have a policy record of p=none, even if the variables mentioned above do not match. This means the email is still successfully delivered regardless of the correlation between the domain in the “from address” and the domain of the server.
In laymen’s terms, if you send through an ESP with a “from address” ending in @aol.com or @yahoo.com, your email will be rejected.
Check out the examples below to see what the DKIM-signature looks like. The first example aligned the “from address” and sender server domains so the DKIM would authenticate the email and signal the message to be delivered. The second example is of an email that does NOT have aligned domains and would NOT be successfully delivered.
This is a screen capture from Word to the Wise's website.
With this change, these emails aren’t just rejected. There can be more severe consequences. John Levine, president of the Coalition Against Unsolicited Commercial Email (CAUCE), said DMARC-enabled providers will not only fail to receive messages sent to the mailing list by Yahoo! and AOL users, but will also flood the list with bounce messages, risking to be bounced off the list themselves. This could be detrimental to future email campaigns and list integrity.
So why the change in authentication?
Is it just because these ISPs are a bunch of meanies and hate email marketers? No…not so much! There has been an ongoing attack against Yahoo! to breach the security of their users. The attackers were sending mail from Yahoo! users to their contacts through other servers.
This is picture of the p=reject record in the works. This image is a screen capture from SMTP2GO's blog.
Email is incredibly easy to spoof and these scammers will pretend to be sending emails from major brands to attain sensitive information from their targets. They do this, for example, by replicating the logo of a well-known company to gain trust and trick people out of their money or passwords. ISPs like Yahoo! and AOL took the action they did to protect harmless users from these malicious attacks, but as a consequence, they may be preventing legitimate mail from being delivered as well. However, this should be relatively uncommon, as very few marketers (that we know of) send their emails with a Yahoo! Or AOL “from address.”
Who is affected by these policy changes?
Right now, this policy change ONLY affects users who use Yahoo! or AOL as their “from address” but send from servers other than Yahoo! or AOL. Neither Yahoo! nor AOL rolled out the change to other domains beyond @yahoo.com and @aol.com. However, it will not be very surprising if other ISPs like Gmail follow suit. This is especially easy because DMARC takes advantage of preexisting authentication methods like DKIM and SPF. With e-commerce on the rise, phishing emails aren’t going to stop anytime soon. That is why webmail providers will need to take every precaution necessary to protect their users.
You have an AOL or Yahoo! “from address,” what now?
Right now the only way to send mail from @yahoo.com and @aol.com addresses to domains checking DMARC is to send mail using the Yahoo! and AOL SMTP servers. Unfortunately, there is not a workaround for this. The easiest way to combat this policy update is by having a “from address” with a private domain like firstname.lastname@example.org.
Creating a private domain will be advantageous even if your “from address” isn’t tied to Yahoo! or AOL. With email scams in full swing, it should be no surprise when other major ISPs follow suit and adopt the DMARC policy that Yahoo! and AOL did. By using your own domain, you can prevent future deliverability issues caused by any future changes ISPs make.
What do you think? Is this anti-spoofing update fair to email marketers or not? Share your thoughts in the comments section below!