You are here: Foswiki>TIG Web>YahooDMARC (15 Apr 2014, JaySekora)EditAttach

Yahoo! DMARC changes and their implications for CSAIL mailing lists and forwarding

DMARC is an experimental mechanism intended to mitigate the risk of phishing and spoofed email, used by several large ISPs. (It's built on top of a couple of other standards called DKIM and SPF.)

In mid-April 2014, Yahoo! made a major change to their DMARC policy which has some risk of collateral damage to CSAIL's email reputation and problems for members of mailing lists hosted here.

Without getting into a lot of detail searching for "yahoo", "dmarc", and "mailing-list" will get you a lot of discussion about Yahoo!'s configuration change, some of it very heated the change means that if CSAIL forwards a piece of mail with a Yahoo! address in the "From:" line to some third party (or to a Yahoo! address itself), Yahoo! will tell that third party that the mail is not legitimate and should be rejected, resulting in a bounce.

There are a bunch of situations where this causes serious problems.

Mailing lists

If a Yahoo! user (say, yahoouser@yahoo.com) sends mail to a mailing list hosted at CSAIL, the mailing list forwards that mail to all the members of the mailing list, typically with some minor alteration such as a "here's how to unsubscribe" footer or a tag on the subject line, but with the original author of the message listed in the From: line so recipients know who originally sent the message.

However, if one of those other list recipients is also a Yahoo! user, or gets their mail through one of a handful of other ISPs that are using DMARC the same way, their mail server will see the message and follow Yahoo!'s instructions to reject the message (resulting in a bounce). The net result is that that copy of the message bounces for some fraction of the list membership, because Yahoo! is suggesting that other sites not accept mail that appears to be From: a Yahoo! email address if it was forwarded by a third party (such as a mailing list).

And that means (1) that lots of ISPs are seeing lots of mail from us that Yahoo!'s DMARC rules are telling them is illegitimate (which might contribute to them refusing other mail form us), and (2) our mailing-list software (GNU Mailman) sees lots of bounces from particular addresses (not just the original Yahoo!-using senders) and after enough such bounces will decide those addresses must be bogus and disables mail delivery and eventually unsubscribes them.

Forwarding

Depending on particular configuration, forwarding of DMARC-covered email may work. However, it may also break in similar ways to mailing lists, depending on what characteristics of the message the domain (in this case Yahoo!) chooses to specify in their DMARC record, and whether or how the forwarding alters the message (e.g., to add an indication that the message was forwarded, add a disclaimer of responsibility, or the like). The situation would be that a Yahoo! user sends mail to a CSAIL email address which forwards to another Yahoo! user (or a user of one of a few other mail providers). The recipient checks the rules Yahoo! has published and refuses the mail, which bounces. This is not quite as serious a problem because the risk of collateral damage is smaller, but some nave mail servers may take a DMARC verification failure (because we're forwarding mail for one of their users that a Yahoo! user originally sent to a CSAIL address) as actual evidence of phishing. And of course it would mean that the recipient doesn't get all their mail forwarded from their CSAIL address.

I believe Yahoo!'s current DMARC configuration means that the most typical cases of mail from a Yahoo! address to a CSAIL email address being forwarded will succeed. Also, very few CSAIL members forward their mail to a Yahoo! address (although note that some other email providers will also reject mail with @yahoo.* From: lines, and which ones do or don't may change over time).

Sending through CSAIL's servers with a non-CSAIL From: address

If you have multiple email addresses, you

[I'll finish this either from home or tomorrow. It's not yet linked anywhere.]
Topic revision: 15 Apr 2014, JaySekora
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology