<nettime> Yahoo: An Update on our DMARC Policy to Protect Our Users

nettime's_spam_kr!k!t on Mon, 14 Apr 2014 23:14:26 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Yahoo: An Update on our DMARC Policy to Protect Our Users

To: nettime-l@kein.org
Subject: <nettime> Yahoo: An Update on our DMARC Policy to Protect Our Users
From: "nettime's_spam_kr!k!t" <nettime@kein.org>
Date: Mon, 14 Apr 2014 23:01:07 +0200

<http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users>

An Update on our DMARC Policy to Protect Our Users

By Jeff Bonforte, SVP of Communications Products

Today I did a search on "we never locked our doors" and here are some
of the top results:

* "...until the 1980's."
* "...when I was growing up."
* "...because everybody knew everybody, and there was no crime..."
* "...until about five years ago."
* "...but now you have to make sure everything is locked up."

Similarly, when email was designed over 30 years ago, everyone knew
everyone, there was no crime and no need to "lock the doors".

The world has changed. So while email is an essential tool for business
and personal life, it is also the focus for some of those who endeavor
to do us harm. The new normal across the web can include massive
attempts at account hacking, email spoofing (forging sender identity)
and phishing attacks (tricking a user to give up account credentials).

The doors to your inbox need another lock.

Because of the rise of spoofing and phishing attacks, the industry saw
a need over two years ago to require emails to be sent more securely
and formed an organization, including Yahoo, Google, Aol, Microsoft,
LinkedIn, and Facebook, to work out a solution. The organization
designed and built something called DMARC, or Domain-based Message
Authentication, Reporting and Conformance. Today, 80% of US email user
accounts and over 2B accounts globally can be protected by the DMARC
standard.

On Friday afternoon last week, Yahoo made a simple change to its DMARC
policy from "report" to "reject". In other words, we requested that all
other mail services reject emails claiming to come from a Yahoo user,
but not signed by Yahoo.

Yahoo is the first major email provider in the world to adopt this
aggressive level of DMARC policy on behalf of our users.

And overnight, the bad guys who have used email spoofing to forge
emails and launch phishing attempts pretending to come from a Yahoo
Mail account were nearly stopped in their tracks.

There is a regrettable, short-term impact to our more aggressive
position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail
customers from third parties are also being rejected. We apologize for
any inconvenience this may have caused.

As we said at the start of post, for better or for worse, times have
changed. We can no longer allow this massive security hole to remain
for our customers and we believe the solution is simple - Yahoo
requires external email service providers, such as those who manage
distribution lists, to cease using unsigned "sent from" mail, and
switch to a more accurate "sent on behalf of" policy. We know there are
about 30,000 affected email sending services, but we also know that the
change needed to support our new DMARC policy is important and not
terribly difficult to implement. We have detailed the changes we are
requiring here.

Already, many of the most popular mail services had made the necessary
changes. For example, you can read the Tuesday blog post from
MailChimp to its customers and positive feedback from Twitter as
well.

Another email service provider blogged, "it likely won't be long before
all `from themselves, but not from themselves' emails are treated with
the same scrutiny [as Yahoo] by other webmail services."

With stricter DMARC policies, users are safer, and the bad guys will be
in a tough spot. More importantly, verified senders will unlock a
massive wave of innovation and advancement for all our inboxes.

We have listed some useful resources where you can learn more about
these important steps.

- DMARC

- DKIM

- SPF

* Apr 11th, 2014

# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mx.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nettime@kein.org

Prev by Date: Re: <nettime> Will your insurance company subsidize your quantified self?
Next by Date: Re: <nettime> Will your insurance company subsidize your quantified
Previous by thread: Re: <nettime> Will your insurance company subsidize your quantified
Next by thread: <nettime> Fwd: Recognition of third gender (in India)
Index(es):
- Date
- Thread