I’m all too familiar with this policy of late. I’m one of the moderators on a corgi related email list. We’ve been impacted by this change, and not in a good way.
What’s a DMARC?
DMARC stands for Domain Based Message Authentication Reporting and Conformance. It’s essentially a standard by which email senders tell the world “this is what email from my domain should look like”. It builds on other standards called SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail).
If you’ve ever taken a look at the headers you normally don’t see in email (something like a View Message Source in Gmail) you’ll see that there are typically several references to SPF and DKIM there. The goal here is actually pretty simple: to help determine what is legitimate email and what is not.
The problem however is that the changes made by AOL and Yahoo take what many consider to be an excessively aggressive or restrictive position on what to do with some of the email that their users send; a stance that’s breaking email discussion lists all over the place.
Discussion lists versus mailing lists
Let’s first distinguish between mailing lists and discussion lists.
For purposes of this article, a mailing list is email sent from one sender to many recipients. Something like my weekly newsletter is a good example. I send it out and 60,000 people get it. If they reply, the reply goes to me, and not to all of the other 60,000 members.
A discussion list is an email address that when you send to it, your message goes to all of the members that are on that list. And when they reply, the reply also goes to all of the members. Thus the concept: members of this list can have a discussion via email.
It’s the discussion lists that are by far the most affected by this change.
The DKIM setting that was changed by Yahoo! and AOL now says (using Yahoo as an example) “if you get an email that is from an @yahoo.com email address, and that email was not actually sent by a Yahoo email server, then reject it”.
Now, on the surface that sounds kind of nifty. Spammers make it look like they’re sending from Yahoo accounts all the time, even when they’re not, because the “from” address is trivially easy to fake. With this change spammers get stopped in their tracks, at least when it comes to making things look like they come from Yahoo email addresses when in fact they did not.
But think about how an email discussion list works. When you send an email to that list, you’re actually sending it to a mailing list management server. It then takes your message and forwards it on to all the members of the mailing list. In other words, it is sending the messages to the recipients.
That message from a Yahoo user is sent out on that final leg to all the recipients by a non-Yahoo email server. It’s being sent by the discussion list’s server.
So if the recipient’s email server is paying attention to the DKIM change, it then says, “Hey, I just got email from a Yahoo.com address but it didn’t come from a Yahoo server. Therefore, I’m supposed to reject it”. And it does.
As a result, users with Yahoo and AOL email accounts, and perhaps others can’t send emails to their discussion lists and have it reach all of the members.
From bad to worse
But it actually gets worse. Some email list servers take that rejection kind of hard. I’m tempted to say they even take it personally. 🙂
What happens is that some will actually remove the recipient from the discussion list for having rejected the message.
Think it through for a minute:
- someone with a Yahoo email address sends a message to your discussion list
- some other random member of that discussion list gets unsubscribed because their mail server did what did DKIM told it to do
In practice, what really happens is that multiple members get unsubscribed all at once, and that’s what we’ve been dealing with on the Corgi mailing list.
The good news here is that mailing list software is (slowly) being updated to at least stop unsubscribing people so aggressively, and they are also looking at ways to mitigate the impact of this DKIM change so that Yahoo senders, for example, will still be able to use discussion lists.
But until then, well, it’s quite the kerfuffle. I’m really not sure how or when it will all finally shake out.