Yahoo Email Change Causes Mailing List Havoc

There's been an important and very bad development in the mailing list world. There's a new spam/phishing prevention tool called "DMARC" that was developed by several of the largest email providers (Yahoo, Gmail, Facebook, Paypal). I'm not an expert, but here's how I understand it works, and the problem that it causes:

The purpose of DMARC is to check whether all of the headers and other content of an email are consistent and warn the recipient mail system if they are not. For example if someone tries to send from a yahoo.com email address to a gmail.com user from outside Yahoo's network, that breaks the DMARC signature, and Yahoo then notifies Gmail that it is a forged or otherwise suspicious message. Yahoo can choose to simply issue a warning, or can actually instruct the receiving server to bounce the message back to the sender. This is a good thing to stop forgeries and phishing attempts. However, it can also interfere with the mailing lists work.

The problem is that mailing lists almost by definition break the DMARC signature by adding/changing header fields and even by adding the "unsubcribe" footer at the bottom of the message. If a DMARC mismatch just causes a warning, no real harm is done.

However, in early April, 2014, Yahoo changed their policy from just warning about a DMARC mismatch, to instructing other mail servers to bounce any message with a broken signature.

As a result, if bob@yahoo.com sends an email to time-nuts@febo.com, we will retransmit that message still showing "bob@yahoo.com" in the email "From:" header (required if someone wants to reply directly back to Bob), but with the header changes made by the mailman list software. When the list message is sent to alice@gmail.com (or any other DMARC-compliant mail provider), the server there will see that the DMARC signature doesn't match, will check with Yahoo, and will learn that it should bounce the message back to the mailing list server.

So the message for Alice gets bounced back to febo.com, where mailman says "OK, this is bounce #5 in the last few days from alice@gmail.com, so her address is probably bad and I'll unsubscribe her." And she is no longer on the mailing list. Neither is Bob, since Yahoo will also bounce his copy of the list message back to the server and he will suffer the same unsubscription fate.

As you can see, this process ultimately results in not only Yahoo users, but other list subscribers who use a DMARC-compliant mail service, being unsubscribed though they've done nothing at all wrong.

Here's an article describing the problem, probably better than I did: http://www.virusbtn.com/blog/2014/04_15.xml.

Based on some Google searching, at this time there doesn't appear to be any way for mailing list software to avoid the issue unless it dumbs itself down to the point where it's simply acting as a message forwarder and doesn't provide any of the added capabilities that we take for granted.

One option that would help at the moment would be to reject any list message coming from a yahoo user, but that's not exactly optimal. And if gmail were to adopt the same policy, we'd have to block gmail users, too. That's not a useful road to travel.

I'm honestly not sure what will happen next, and am keeping my eyes open for any developments. In the meantime, my apologies for any inconvenience this situation causes.