How Yahoo's and AOL's DMARC 'reject' policies affect us
My whole interest in understanding DMARC started with the simple question of how Yahoo's and AOL's change to a DMARC 'reject' policy would affect us and our users, and how much of an effect it would have. The answer turns out to be that it will have some effects but nothing major.
The most important thing is that this change doesn't significantly affect either our users forwarding their email to places that pay attention to DMARC or our simple mailing lists because neither of them normally modify email on the way through (which means the DKIM signatures stay intact, which means that email really from Yahoo or AOL will still pass DMARC at the eventual destination). Of course it's possible that some people are forwarding email in ways that modify the message and thus may have problems, but if so they're doing something out of the ordinary; our simple mail forwarding doesn't do this.
(We allow users to run programs from their
.forward files, so
people can do almost arbitrarily complex things if they want to.)
There is one exception to this. Email that our commercial anti-spam
system detects as being either spam or a virus has its
header modified, which will invalidate any previously valid DKIM
signature, which means that it will fail to forward through us to
DMARC respecting places (such as GMail). This would only affect
people who forward all email (not just non-spam email) and then
only if the email was legitimately from Yahoo or AOL in the first
place (and got scored or mis-scored as spam). I think that this is
a sufficiently small thing that I'm not worried about it, partly
because places like GMail now seem to be even stricter than our
anti-spam system is so some percentage of potentially dodgy email
is already not being forwarded successfully.
People who forward their email to DMARC-respecting places will be affected in one additional way. The simple way to put it is that our forwarding is now imperfect, in that we'll accept some legitimate messages but can't forward them successfully. These would be emails from legitimate Yahoo or AOL users that were either sent from outside those places or that got modified in transit by, eg, mailing lists. A user who forwards their email to GMail is now losing these emails more or less silently (to the user). In extreme cases it's possible that they'll get unsubscribed from a mailing list due to these bounces.
This also affects any local user who was sending email out through
our local mail gateway using their AOL or Yahoo
To put it one way, I don't think we have very many people in this
situation and I don't think that they'll have many problems fixing
their configurations to work again.
(I'd like to monitor the amount of forwarding rejections but i can't think of a good way to dig the information out of our Exim logs, since mailing lists generally change the envelope sender address. This makes it tempting to have our inbound SMTP gateway do DMARC checks purely so I can see how many incoming messages fail them.)
PS: writing this entry has been a useful exercise in thinking through the full implications of our setup, as I initially forgot that our anti-spam filtering would invalidate DKIM signatures under some circumstances.