Yahoo's DMARC policy wreaks havoc among mailing lists

Posted by   Virus Bulletin on   Apr 15, 2014

Collateral damage in instruction to reject emails with invalid DKIM signatures.

A change in Yahoo's DMARC policy has caused frustration among operators of many mailing lists and their subscribers.

On its official website, DMARC is described as standardizing "how email receivers perform email authentication using the well-known SPF and DKIM mechanisms". It was set up in 2012 by some of the bigger players in the email field, including Yahoo, Gmail, Facebook and PayPal.

Both SPF and DKIM are used primarily to authenticate email and to help ensure its correct delivery: SPF can confirm that the mail was sent from one of the mail servers belonging to the sender's domain, while DKIM adds a domain-based signature to the email. If an email was sent from a mail server belonging to and signed with's DKIM signature, it is very likely that it was indeed sent by and not by someone spoofing that domain.

Although neither standard makes a statement on whether authenticated emails are spam, when used together with domain-based reputation, the standards can help with the correct delivery of emails.

What DMARC adds to DKIM and SPF is to give domain owners a say over what receivers should do with emails that claim to have been sent from their domain, but which fail both SPF and DKIM checks. Depending on how much they trust their own records and how important they consider the risk of phishing compared with the risk of legitimate emails not being delivered, they can tell receivers to accept the emails anyway, to turn up the filters, or to reject the emails.

A recent survey among participants of our VBSpam tests showed that very few spam filters are currently checking the DMARC status of emails. Yet its adoption by many of the bigger players means that DMARC cannot be ignored in the current email landscape.

Yahoo's DMARC changes

Yahoo recently changed its DMARC policy to address a security problem. But, as John Levine has pointed out, in doing so it broke every mailing list in the world.

Yahoo apparently saw many phishing emails that forged the From: address to appear to have been sent from its servers. They weren't, and they did indeed lack a valid DKIM signature. Yahoo's decision to add a p=reject flag to its DMARC policy thus may seem reasonable: it told receivers to reject emails that claim to come from Yahoo yet which lack a valid DKIM signature.

However, there is one important case in which emails lack such a signature for a good reason: email discussion lists, more commonly known as mailing lists.

Mailing lists

Popular since the early days of the Internet, and still used by millions, mailing lists involve a central server that forwards emails from one subscriber to the list address to all other subscribers. While forwarding, most list servers modify the subject line of the email to include a 'list tag' and add a footer containing unsubscribe information to the bottom of the email. In doing so, they break any existing DKIM signatures.

To understand why this matters, imagine that Alice sends an email from her Yahoo address to a list server. The server adds a footer, modifies the subject and sends the email to the list's subscribers, including Bob's Gmail address.

Gmail's mail servers notice that the email sent to Bob has an invalid DKIM signature, yet it claims to come from Alice's Yahoo address (list servers typically don't modify the From: header). Following Yahoo's p=reject DMARC flag, rather than deliver the message to Bob, they bounce it back to the list server. The server notices the bounce and does what has long been best practice when messages bounce: it unsubscribes Bob from the list.

This issue isn't new: the same problem arose with the optional and now historic DKIM extension ADSP. Yet, while smaller domains caused problems for a few mailing lists, Yahoo is one of the largest email senders and there are very few lists that don't have any subscribers with a Yahoo address.

The issue has long divided the email community. Some argue that mailing lists have worked this way for decades and it is unreasonable to ask them to change because the relatively recent addition of DKIM has started to cause issues. Others say that leaving the From: address unchanged, while modifying subject and body, simply isn't desirable any more in today's email landscape. Indeed, this is what Yahoo said in defence of its policy.

I have a lot of sympathy for the former argument, which tends to be backed up by the RFCs. Yet Yahoo's changes (assuming they don't change their policy) may see the balance shift the other way. And perhaps that will be better in the long run.

The times are a-changin?

So why did Yahoo decide to ignore those of its users who subscribe to mailing lists?

Some have argued that it did so because it runs its own mailing lists (Yahoo Groups). I personally think the answer is more mundane. As Al Iverson suggests, it is likely that there are simply too few email users subscribing to mailing lists today to make them worth caring about in the face of significant abuse of their domain.

  Al Iverson's speculation on Yahoo's reason for changing its DMARC policy.

It is unlikely that the last words on DKIM and DMARC have been said. To find out more about the method's strengths and weaknesses, an article written by the aforementioned John Levine for Virus Bulletin provides a good introduction. At VB2014, Microsoft's Terry Zink will give a presentation on DMARC.

Posted on 15 April 2014 by Martijn Grooten



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.