Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Gmail 'Reject' Policy Should Roll Out Smoothly: Expert

By Ken Magill
When Yahoo! set its Domain-based Message Authentication, Reporting and Conformance, or DMARC (dee-mark) policy to p=reject last year, for some chaos ensued.
People sending messages from Yahoo! accounts through servers with different domains—some discussion-list operators, for example—couldn’t get their messages delivered.
Yahoo! had good reason for the stricter policy. It was under attack by spoofers and phishers.
“Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users,” the company said in a statement published a week after the policy change.
“And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks."
DMARC is an extension of email authentication, where senders publish certain information, such as what IP addresses are authorized to send messages on their brand’s behalf, so the ISPs can more readily identify email coming from those brands.
DMARC also allows the sender to instruct the ISPs what they would like done with phony messages pretending to be from their brand, such as quarantine or block them.
On October 5th, Yahoo announced it would expand its use of DMARC to its and services.
Yahoo! set its DMARC policy for to block last year. AOL quickly followed suit. Google will be instructing ISPs to block unauthenticated messages purporting to come from Gmail starting in June.
Yahoo! acknowledged its DMARC policy change negatively affected some good guys.
“There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.”
When Google sets its DMARC policy to p=reject, scheduled for June 2016, things should go much more smoothly, according to an expert.
“The reason Google are doing this is people are abusing the domain,” said Rob Holmes, general manager, email fraud protection for Return Path. Setting DMARC to p=reject “means a cleaner, safer Internet for people receiving email from addresses at Gmail.”
So what’s different? Enter Authenticated Received Chain or ARC.
“With Authentication Received Chain, [the message] retains the original authentication result,” said Holmes. “So in the example where I’m sending a message from Yahoo! and it hits a mailing-list or distribution server, it will authenticate correctly. … It [ARC] addresses that edge-use case.”
“We are pleased to be supporting the ARC protocol to help mailing list operators adapt to the need for strong authentication,” said John Rae-Grant, lead product manager for Gmail in a statement published on
“When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change,” said the statement. “To address these issues, several workarounds were quickly deployed by service providers and mailing lists, and two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), is being presented at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting in Atlanta, Georgia.”

Show: Newest | Oldest

Post a Comment
Your Name:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.