Gmail 'Reject' Policy Should Roll Out Smoothly: Expert
By Ken Magill
When Yahoo! set its Domain-based Message Authentication, Reporting and Conformance, or DMARC (dee-mark) policy to p=reject last year, for some chaos ensued.
People sending messages from Yahoo! accounts through servers with different domains—some discussion-list operators, for example—couldn’t get their messages delivered.
Yahoo! had good reason for the stricter policy. It was under attack by spoofers and phishers.
“Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users,” the company said in a statement published a week after the policy change.
“And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks."
DMARC is an extension of email authentication, where senders publish certain information, such as what IP addresses are authorized to send messages on their brand’s behalf, so the ISPs can more readily identify email coming from those brands.
DMARC also allows the sender to instruct the ISPs what they would like done with phony messages pretending to be from their brand, such as quarantine or block them.
On October 5th, Yahoo announced it would expand its use of DMARC to its ymail.com and rocketmail.com services.
Yahoo! set its DMARC policy for Yahoo.com to block last year. AOL quickly followed suit. Google will be instructing ISPs to block unauthenticated messages purporting to come from Gmail starting in June.
Yahoo! acknowledged its DMARC policy change negatively affected some good guys.
“There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.”
When Google sets its DMARC policy to p=reject, scheduled for June 2016, things should go much more smoothly, according to an expert.
“The reason Google are doing this is people are abusing the Gmail.com domain,” said Rob Holmes, general manager, email fraud protection for Return Path. Setting DMARC to p=reject “means a cleaner, safer Internet for people receiving email from addresses at Gmail.”
So what’s different? Enter Authenticated Received Chain or ARC.
“With Authentication Received Chain, [the message] retains the original authentication result,” said Holmes. “So in the example where I’m sending a message from Yahoo! and it hits a mailing-list or distribution server, it will authenticate correctly. … It [ARC] addresses that edge-use case.”
“We are pleased to be supporting the ARC protocol to help mailing list operators adapt to the need for strong authentication,” said John Rae-Grant, lead product manager for Gmail in a statement published on DMARC.org.
“When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change,” said the statement. “To address these issues, several workarounds were quickly deployed by service providers and mailing lists, and two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), is being presented at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting in Atlanta, Georgia.”