Yahoo changed its DMARC policy for emails sent via third-party services.
If you send customer’s emails via third-party services like Mandrill, then this affects you.
Let’s start by looking at transactional emails.
What Are Transactional Emails
A transactional email is a one-to-one email of some kind.
You can contrast them with one-to-many emails such as newsletters that businesses send out to people on their email lists.
There are all kinds of transactional ‘one-to-one’ emails.
Some examples are the email that is sent when someone signs up to a service or the email that confirms when an online order has been placed.
If all your emails go from your own domain address, then no problem.
But if you allow customers to send emails via your service and you use their email addresses as the ‘sent-from’, then this concerns you.
What Are Transactional Email Services
A company that sends emails as part of its business could send emails from the email servers on its own web host.
The problem is that the recipients reply, the company wouldn’t know whether the emails reach their destination.
Did they bounce? Were they marked as spam? Were they rejected by the recipients’ servers?
That’s where transactional email services come in.
Transactional email services have methods of checking whether the emails are delivered or bounced, whether they are marked as spam, or whether they are rejected.
And that’s the reason that a lot of businesses route their emails via transactional email services like Mandrill.
Mandrill
Mandrill is a transactional email service with hundreds of thousands of customers. It is efficient and fast.
Yahoo Changed Its Domain Message Authentication (DMARC) Policy
Two weeks ago Yahoo changed its policy.
It now prohibits third-party services (like Mandrill)
In other words, Yahoo’s new policy is that Yahoo emails can only go direct from Yahoo’s web servers to the recipient.
Any Yahoo emails that are routed via non-Yahoo servers are not allowed to get through because Yahoo tells the receiving domains to reject them if they did not travel directly from Yahoo’s servers.
It’s a bit like a message on a letter telling the person who receives it to refuse to accept it.
The technical way that Yahoo sends this instruction is through its Domain-based Message Authentication, Reporting and Conformance policy (DMARC). It is a code attached to an email that tells the receiving domain what to do with messages that did not travel direct from its servers to the recipient.
Why Yahoo Changed Its Policy
We don’t know for sure the reason behind Yahoo’s new policy, but Mandrill wrote on their blog about why they think Yahoo has made the change:
So far, Yahoo hasn’t made any information public about this change. There’s some speculation that it’s an attempt to stop targeted phishing attacks where attackers are sending ‘from’ someone’s yahoo.com address in an attempt to get information to compromise the Yahoo account.
That speculation may well be correct because Yahoo is a known target for phishing attacks.
AOL Has Now Adopted The Same DMARC Policy As Yahoo
Mandrill’s Recommendation
Mandrill’s recommendation is:
If you’re sending on behalf of your users or others who have @yahoo.com addresses, you’ll want to change your emails to be sent ‘from’ a non-Yahoo address (probably your domain) with reference to the original sender’s address in the body. You can also set the ‘Reply-To’ header to include the original user’s Yahoo email address if replies should go to them instead of you.