Zen Master: Blog

Back to Zen Master's Blog
April 15, 2014
Posted at 8:41 pm

New Email - Yahoo and DMARC

I've had this email address for a long time. I don't want to change it. However, it no longer works for everything. For the last couple of years, several of the biggest email hosts (Yahoo, Gmail, MS, etc) have been working on a solution for spam and phishing. They have developed one named DMARC that they claim can do what they want.
It allows Yahoo, for instance, to tell a receiver if this email from Nez_Retsam@Yahoo.com, for instance, really came from him (well, actually from Yahoo). The receiver can take the answer (yes or no) and make a decision. Further, the host can publish "policies" in the DNS that tell the receiver what the host thinks that the receiver should do with emails that fail, like 'trust' or 'monitor'.
Last weekend, about 10 days ago, Yahoo decided that no one except them mattered, and the published a policy that said "If email claiming to be from Yahoo fails DMARC you should reject it."
Now, that simple policy statement broke EVERY SINGLE FUCKING MAIL LIST SYSTEM IN THE WHOLE UNIVERSE. See, if I post an email (using my Yahoo address) to my church's mailing list saying "My iron broke; does anyone have one I can borrow?", the list will turn around and send it to everyone else on the church's email list so that I can hear from people who no longer iron, right? And, it shows up in everyone's in-box as an email from me because that's what email lists do, they redistribute email giving receivers a choice between "reply to sender" and "reply to list".
Now, since April 5th anyone with email hosted by Yahoo, Google/Gmail, MS/Hotmail, LinkedIn, ComCast, and a few other large email providers will check with Yahoo and be told that no, that email did NOT come from me (or Yahoo), and they don't know where it came from. Oh, yeah, you should reject that spam. So 60% of the world's email providers all bouncing emails back to your church's small mail-list will cause it to become blacklisted immediately as a spam-spewer eve if it doesn't crash from all the bounces.
That "innocent protective policy" broke every mailing list in the world. It even broke the IETF's main discussion list, because, you know, some of those engineers use Yahoo for this non-paying volunteer work. When their email managers finally got that figured out, their emergency suggestion to list operators everywhere was to "block anyone with a Yahoo address from posting until Yahoo fixes that".
Now, surely Yahoo will realize this was a mistake, right? I've been waiting for them to rescind that policy, but now Yahoo has finally published a clarifying letter on their own site. It basically says "We're doing this to control spam. Fuck anyone who uses email lists". And, I'm pretty active in a couple of email lists.
So, I'm moving to "ZM@TampaAD.net". I'll keep the Yahoo address for now, but as I get things moved over I'll check it less and less until I forget about it. If you want to contact me and don't want to see how often I check something broken, please use the new one.