Nettime mailing list archives

<nettime> Yahoo: An Update on our DMARC Policy to Protect Our Users
nettime's_spam_kr!k!t on Mon, 14 Apr 2014 23:14:26 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Yahoo: An Update on our DMARC Policy to Protect Our Users


An Update on our DMARC Policy to Protect Our Users

   By Jeff Bonforte, SVP of Communications Products

   Today I did a search on "we never locked our doors" and here are some
   of the top results:

     * "...until the 1980's."
     * "...when I was growing up."
     * "...because everybody knew everybody, and there was no crime..."
     * "...until about five years ago."
     * "...but now you have to make sure everything is locked up."

   Similarly, when email was designed over 30 years ago, everyone knew
   everyone, there was no crime and no need to "lock the doors".

   The world has changed. So while email is an essential tool for business
   and personal life, it is also the focus for some of those who endeavor
   to do us harm. The new normal across the web can include massive
   attempts at account hacking, email spoofing (forging sender identity)
   and phishing attacks (tricking a user to give up account credentials).

   The doors to your inbox need another lock.

   Because of the rise of spoofing and phishing attacks, the industry saw
   a need over two years ago to require emails to be sent more securely
   and formed an organization, including Yahoo, Google, Aol, Microsoft,
   LinkedIn, and Facebook, to work out a solution. The organization
   designed and built something called DMARC, or Domain-based Message
   Authentication, Reporting and Conformance. Today, 80% of US email user
   accounts and over 2B accounts globally can be protected by the DMARC

   On Friday afternoon last week, Yahoo made a simple change to its DMARC
   policy from "report" to "reject". In other words, we requested that all
   other mail services reject emails claiming to come from a Yahoo user,
   but not signed by Yahoo.

   Yahoo is the first major email provider in the world to adopt this
   aggressive level of DMARC policy on behalf of our users.

   And overnight, the bad guys who have used email spoofing to forge
   emails and launch phishing attempts pretending to come from a Yahoo
   Mail account were nearly stopped in their tracks.

   There is a regrettable, short-term impact to our more aggressive
   position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail
   customers from third parties are also being rejected. We apologize for
   any inconvenience this may have caused.

   As we said at the start of post, for better or for worse, times have
   changed. We can no longer allow this massive security hole to remain
   for our customers and we believe the solution is simple - Yahoo
   requires external email service providers, such as those who manage
   distribution lists, to cease using unsigned "sent from" mail, and
   switch to a more accurate "sent on behalf of" policy. We know there are
   about 30,000 affected email sending services, but we also know that the
   change needed to support our new DMARC policy is important and not
   terribly  difficult to implement. We have detailed the changes we are
   requiring here.

   Already, many of the most popular mail services had made the necessary
   changes. For example, you can read the Tuesday blog post from
   MailChimp to its customers and positive feedback from Twitter as

   Another email service provider blogged, "it likely won't be long before
   all `from themselves, but not from themselves' emails are treated with
   the same scrutiny [as Yahoo] by other webmail services."

   With stricter DMARC policies, users are safer, and the bad guys will be
   in a tough spot. More importantly, verified senders will unlock a
   massive wave of innovation and advancement for all our inboxes.

   We have listed some useful resources where you can learn more about
   these important steps.

   - DMARC

   - DKIM

   - SPF

     * Apr 11th, 2014

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org