At least partially understanding DMARC
DMARC is suddenly on my mind because of the
news that AOL changed its DMARC policy to 'reject',
following the lead of Yahoo which did this a couple of weeks ago.
The short version is that a DMARC 'reject' policy is what I
originally thought DKIM was doing: it locks
down email with a
From: header of your domain so that only you
can send it. More specifically, all such email must not merely have
a valid DKIM signature but a signature that is for the same domain
From: domain; in DMARC terminology this is called being
'aligned'. Note that the domain used to determine the DMARC policy
From: domain, not the DKIM signature domain.
(I think that DMARC can also be used to say 'yes, really, pay attention to my strict SPF settings' if you're sufficiently crazy to break all email forwarding.)
This directly affects anyone who wants to send email with a
of their Yahoo or AOL address but not do it through Yahoo/AOL's SMTP
servers. Yahoo and AOL have now seized control of that and said 'no you
can't, we forbid it by policy'. Any mail system that respects DMARC
policies will automatically enforce this for AOL and Yahoo.
(Of course this power grab is not the primary goal of the exercise;
the primary goal is to cut off all of the spammers and other bad
actors that are attaching Yahoo and AOL
From: addresses to their
This indirectly affects anyone who has, for example, a mailing list
(or a mail forwarding setup) that modifies the message
or adds a footer to the message as it goes through the list. Such
modifications will invalidate the original DKIM signature of
legitimate email from a Yahoo or AOL user and then this bad DKIM
signature will cause the message to be rejected by downstream mailers
that respect DMARC. The only way to get such modified emails past
DMARC is to change the
From: header away from Yahoo or AOL, at
which point their DMARC 'reject' policies don't apply.
DMARC by itself does not break simple mail relaying and forwarding (including for simple mailing lists), ie all things where the message and its headers are unmodified. An unmodified message's DKIM signature is still valid even if it doesn't come directly from Yahoo or AOL (or whoever) so everything is good as far as DMARC is concerned (assuming SPF sanity).
Note that Yahoo and AOL are not the only people with a DMARC 'reject'
policy. Twitter has one, for example. You can check a domain's DMARC
policy (if any) by looking at the
TXT record on
_dmarc.twitter.com. I believe the '
p=' bit is the important
PS: I suspect that more big free email providers are going to move to publishing DMARC 'reject' policies, assuming that things don't blow up spectacularly for Yahoo and AOL. Which I doubt they will.