Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What’s this new anti-spam policy about, and how will it affect me?

Question: Hi, Leo. AOL and Yahoo have recently been said to adopt a harsh DMARC policy to stem the problems of spam and phishing. From the outlook I think it’s a welcomed change despite causing some genuine emails to bounce back. Would you please explain what the implications to the users of these severs and any actions to be taken on the user’s part?

I’m all too familiar with this policy of late. I’m one of the moderators on a corgi related email list. We’ve been impacted by this change, and not in a good way.

Become a Patron of Ask Leo! and go ad-free!

What’s a DMARC?

DMARC stands for Domain Based Message Authentication Reporting and Conformance. It’s essentially a standard by which email senders tell the world “this is what email from my domain should look like”. It builds on other standards called SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).

If you’ve ever taken a look at the headers you normally don’t see in email (something like a View Message Source in Gmail) you’ll see that there are typically several references to SPF and DKIM there. The goal here is actually pretty simple: to help determine what is legitimate email and what is not.

The problem however is that the changes made by AOL and Yahoo take what many consider to be an excessively aggressive or restrictive position on what to do with some of the email that their users send; a stance that’s breaking email discussion lists all over the place.

Discussion lists versus mailing lists

Let’s first distinguish between mailing lists and discussion lists.

For purposes of this article, a mailing list is email sent from one sender to many recipients. Something like my weekly newsletter is a good example. I send it out and 60,000 people get it. If they reply, the reply goes to me, and not to all of the other 60,000 members.

A discussion list is an email address that when you send to it, your message goes to all of the members that are on that list. And when they reply, the reply also goes to all of the members. Thus the concept: members of this list can have a discussion via email.

It’s the discussion lists that are by far the most affected by this change.

The change

The DKIM setting that was changed by Yahoo! and AOL now says (using Yahoo as an example) “if you get an email that is from an email address, and that email was not actually sent by a Yahoo email server, then reject it”.

No SPAM!Now, on the surface that sounds kind of nifty. Spammers make it look like they’re sending from Yahoo accounts all the time, even when they’re not, because the “from” address is trivially easy to fake. With this change spammers get stopped in their tracks, at least when it comes to making things look like they come from Yahoo email addresses when in fact they did not.

But think about how an email discussion list works. When you send an email to that list, you’re actually sending it to a mailing list management server. It then takes your message and forwards it on to all the members of the mailing list. In other words, it is sending the messages to the recipients.

That message from a Yahoo user is sent out on that final leg to all the recipients by a non-Yahoo email server. It’s being sent by the discussion list’s server.

So if the recipient’s email server is paying attention to the DKIM change, it then says, “Hey, I just got email from a address but it didn’t come from a Yahoo server. Therefore, I’m supposed to reject it”. And it does.

As a result, users with Yahoo and AOL email accounts, and perhaps others can’t send emails to their discussion lists and have it reach all of the members.

From bad to worse

But it actually gets worse. Some email list servers take that rejection kind of hard. I’m tempted to say they even take it personally. :-)

What happens is that some will actually remove the recipient from the discussion list for having rejected the message.

Think it through for a minute:

  • someone with a Yahoo email address sends a message to your discussion list
  • some other random member of that discussion list gets unsubscribed because their mail server did what did DKIM told it to do

In practice, what really happens is that multiple members get unsubscribed all at once, and that’s what we’ve been dealing with on the Corgi mailing list.

The future

The good news here is that mailing list software is (slowly) being updated to at least stop unsubscribing people so aggressively, and they are also looking at ways to mitigate the impact of this DKIM change so that Yahoo senders, for example, will still be able to use discussion lists.

But until then, well, it’s quite the kerfuffle. I’m really not sure how or when it will all finally shake out.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “What’s this new anti-spam policy about, and how will it affect me?”

    • Nope. It sends it out, with an (optional) explicit additional

  1. This also happens if you have a bunch of friends with whom you regularly exchange “Funnies” and “Not Funnies”.

    Yahoo have for ages queried in a “Nanny” way, if one is sending spam and requested the addition of one those screwed up letter/number things to prove that you’re human.

    This was one of my main reasons for leaving Yahoo and going to Google.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.