How Yahoo's and AOL's DMARC 'reject' policies affect us

April 23, 2014

My whole interest in understanding DMARC started with the simple question of how Yahoo's and AOL's change to a DMARC 'reject' policy would affect us and our users, and how much of an effect it would have. The answer turns out to be that it will have some effects but nothing major.

The most important thing is that this change doesn't significantly affect either our users forwarding their email to places that pay attention to DMARC or our simple mailing lists because neither of them normally modify email on the way through (which means the DKIM signatures stay intact, which means that email really from Yahoo or AOL will still pass DMARC at the eventual destination). Of course it's possible that some people are forwarding email in ways that modify the message and thus may have problems, but if so they're doing something out of the ordinary; our simple mail forwarding doesn't do this.

(We allow users to run programs from their .forward files, so people can do almost arbitrarily complex things if they want to.)

There is one exception to this. Email that our commercial anti-spam system detects as being either spam or a virus has its Subject: header modified, which will invalidate any previously valid DKIM signature, which means that it will fail to forward through us to DMARC respecting places (such as GMail). This would only affect people who forward all email (not just non-spam email) and then only if the email was legitimately from Yahoo or AOL in the first place (and got scored or mis-scored as spam). I think that this is a sufficiently small thing that I'm not worried about it, partly because places like GMail now seem to be even stricter than our anti-spam system is so some percentage of potentially dodgy email is already not being forwarded successfully.

People who forward their email to DMARC-respecting places will be affected in one additional way. The simple way to put it is that our forwarding is now imperfect, in that we'll accept some legitimate messages but can't forward them successfully. These would be emails from legitimate Yahoo or AOL users that were either sent from outside those places or that got modified in transit by, eg, mailing lists. A user who forwards their email to GMail is now losing these emails more or less silently (to the user). In extreme cases it's possible that they'll get unsubscribed from a mailing list due to these bounces.

This also affects any local user who was sending email out through our local mail gateway using their AOL or Yahoo From: address. To put it one way, I don't think we have very many people in this situation and I don't think that they'll have many problems fixing their configurations to work again.

(I'd like to monitor the amount of forwarding rejections but i can't think of a good way to dig the information out of our Exim logs, since mailing lists generally change the envelope sender address. This makes it tempting to have our inbound SMTP gateway do DMARC checks purely so I can see how many incoming messages fail them.)

PS: writing this entry has been a useful exercise in thinking through the full implications of our setup, as I initially forgot that our anti-spam filtering would invalidate DKIM signatures under some circumstances.

Written on 23 April 2014.
« At least partially understanding DMARC
A Unix semantics issue if your filesystem can snapshot arbitrary directories »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Apr 23 23:11:23 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.