2014-04-23
How Yahoo's and AOL's DMARC 'reject' policies affect us
My whole interest in understanding DMARC started with the simple question of how Yahoo's and AOL's change to a DMARC 'reject' policy would affect us and our users, and how much of an effect it would have. The answer turns out to be that it will have some effects but nothing major.
The most important thing is that this change doesn't significantly affect either our users forwarding their email to places that pay attention to DMARC or our simple mailing lists because neither of them normally modify email on the way through (which means the DKIM signatures stay intact, which means that email really from Yahoo or AOL will still pass DMARC at the eventual destination). Of course it's possible that some people are forwarding email in ways that modify the message and thus may have problems, but if so they're doing something out of the ordinary; our simple mail forwarding doesn't do this.
(We allow users to run programs from their .forward files, so
people can do almost arbitrarily complex things if they want to.)
There is one exception to this. Email that our commercial anti-spam
system detects as being either spam or a virus has its Subject:
header modified, which will invalidate any previously valid DKIM
signature, which means that it will fail to forward through us to
DMARC respecting places (such as GMail). This would only affect
people who forward all email (not just non-spam email) and then
only if the email was legitimately from Yahoo or AOL in the first
place (and got scored or mis-scored as spam). I think that this is
a sufficiently small thing that I'm not worried about it, partly
because places like GMail now seem to be even stricter than our
anti-spam system is so some percentage of potentially dodgy email
is already not being forwarded successfully.
People who forward their email to DMARC-respecting places will be affected in one additional way. The simple way to put it is that our forwarding is now imperfect, in that we'll accept some legitimate messages but can't forward them successfully. These would be emails from legitimate Yahoo or AOL users that were either sent from outside those places or that got modified in transit by, eg, mailing lists. A user who forwards their email to GMail is now losing these emails more or less silently (to the user). In extreme cases it's possible that they'll get unsubscribed from a mailing list due to these bounces.
This also affects any local user who was sending email out through
our local mail gateway using their AOL or Yahoo From: address.
To put it one way, I don't think we have very many people in this
situation and I don't think that they'll have many problems fixing
their configurations to work again.
(I'd like to monitor the amount of forwarding rejections but i can't think of a good way to dig the information out of our Exim logs, since mailing lists generally change the envelope sender address. This makes it tempting to have our inbound SMTP gateway do DMARC checks purely so I can see how many incoming messages fail them.)
PS: writing this entry has been a useful exercise in thinking through the full implications of our setup, as I initially forgot that our anti-spam filtering would invalidate DKIM signatures under some circumstances.
At least partially understanding DMARC
DMARC is suddenly on my mind because of the
news that AOL changed its DMARC policy to 'reject',
following the lead of Yahoo which did this a couple of weeks ago.
The short version is that a DMARC 'reject' policy is what I
originally thought DKIM was doing: it locks
down email with a From: header of your domain so that only you
can send it. More specifically, all such email must not merely have
a valid DKIM signature but a signature that is for the same domain
as the From: domain; in DMARC terminology this is called being
'aligned'. Note that the domain used to determine the DMARC policy
is the From: domain, not the DKIM signature domain.
(I think that DMARC can also be used to say 'yes, really, pay attention to my strict SPF settings' if you're sufficiently crazy to break all email forwarding.)
This directly affects anyone who wants to send email with a From:
of their Yahoo or AOL address but not do it through Yahoo/AOL's SMTP
servers. Yahoo and AOL have now seized control of that and said 'no you
can't, we forbid it by policy'. Any mail system that respects DMARC
policies will automatically enforce this for AOL and Yahoo.
(Of course this power grab is not the primary goal of the exercise;
the primary goal is to cut off all of the spammers and other bad
actors that are attaching Yahoo and AOL From: addresses to their
email.)
This indirectly affects anyone who has, for example, a mailing list
(or a mail forwarding setup) that modifies the message Subject:
or adds a footer to the message as it goes through the list. Such
modifications will invalidate the original DKIM signature of
legitimate email from a Yahoo or AOL user and then this bad DKIM
signature will cause the message to be rejected by downstream mailers
that respect DMARC. The only way to get such modified emails past
DMARC is to change the From: header away from Yahoo or AOL, at
which point their DMARC 'reject' policies don't apply.
DMARC by itself does not break simple mail relaying and forwarding (including for simple mailing lists), ie all things where the message and its headers are unmodified. An unmodified message's DKIM signature is still valid even if it doesn't come directly from Yahoo or AOL (or whoever) so everything is good as far as DMARC is concerned (assuming SPF sanity).
Note that Yahoo and AOL are not the only people with a DMARC 'reject'
policy. Twitter has one, for example. You can check a domain's DMARC
policy (if any) by looking at the TXT record on _dmarc.<domain>,
eg _dmarc.twitter.com. I believe the 'p=' bit is the important
part.
PS: I suspect that more big free email providers are going to move to publishing DMARC 'reject' policies, assuming that things don't blow up spectacularly for Yahoo and AOL. Which I doubt they will.