[Mailman-Users] Yahoo extends DMARC p=reject to other domains

Stephen J. Turnbull stephen at xemacs.org
Sun Apr 10 12:19:50 EDT 2016

Cedric Knight writes:
 > On 23/05/15 22:45, Allan Hansen wrote:
 > > I have waited almost a year for AOL and Yahoo to admit that they
 > > messed up and to remove their DMARC policy.
 > Me too.

For some good news: people working with DMARC have come up with a
protocol that may help lists with good reputations, and Mailman will
implement it this summer.

Now the bad news: they're not going to revert to p=none.  From
management's point of view, p=reject is a rather good solution to a
nasty problem.  The massive leaks of address books that made "referral
from a friend spam" possible means they're committed to this
indefinitely, unless they do away with their traditional email
addresses (ie, @aol.com and @yahoo.com).  But that could cost them
hundreds of millions of users.

It's certainly true that Yahoo! admins have stated that their little
April Fool's joke didn't cost them any users to speak of, which is all
that management really worried about, in view of the huge costs (both
technical -- a spike in mail flows to Yahoo! of 6X the normal level --
and reputational -- the huge amount of directed spam that was being
sent to correspondents of Yahoo users everywhere) involved in doing

A year and a bit later Ms. Zwicky (who arguably is doing her best for
both Yahoo! users and Yahoo!'s bottom line, if lacking a little on the
corporate social responsibility side) said that they were still
getting probes that indicated that the spammers were ready to restart
their "campaigns" if p=reject were ever relaxed.  So they aren't going
to do that.

 > Sadly, Yahoo has recently (28 March) compounded their mess,

I guess their take on the current situation, two years later, is that
any indirect mailflows that they haven't already killed outright are
prepared to deal with this extension.

Anyway, I would say that any large email provider that keeps user
"friend" data on their servers (rather than on the user's machine)
needs to be prepared to publish p=reject in the event they get
cracked.  You don't have to like the situation, but don't waste
neurons hoping it will go away.


More information about the Mailman-Users mailing list