Jim Popovitch writes:

AND THEN, a (that very same senior admin?)

All are the same person I suppose, Elizabeth Zwicky.

Yahoo! employee got involved in the DMARC spec and it became the bastardized DMARC spec.

Do you have specific complaints?

I like the DMARC spec as it stands. Yahoo! and AOL are abusing it, in exactly the same way that spammers abuse specs like RFCs 5321 and 5322. And with the same rationale: "because you can't stop us".

But that doesn't make it useless, any more than spammers make the fundamental standards for email useless. The informational parts of the protocol are a minor privacy invasion, I guess, but produce very useful data. Even the policy part is useful IMO. You just have to interpret it properly. "p=quarantine" == "p=we-have-a-security- problem-so-don't-trust-unauthenticated-mail-from-our-domain", and "p=reject" == "p=we-have-a-very-serious-security-problem-so- unauthenticated-mail-from-our-domain-is-almost-certainly-a-scam".

So tell your Yahoo! users that their mailbox provider has a very serious security problem, and labelled their posts as "almost certain scams."[1] :-)

Note that "security problem" here doesn't necessarily mean "security breached". It can also mean "we are a prominent target", as banks and other financial institutions are.

Footnotes: [1] I wouldn't be surprised if for those users whose contact lists were stolen 99% of the mail sent under their mailbox is from the spammers. ;-)