DMARC Anti-Spoofing Error When Sending Email with Sender Yahoo Domain Other Than Server Domain

StackOverflow https://stackoverflow.com/questions/22968931

  •  30-06-2023
  •  | 
  •  

Question

I am using our email server at [mydomainhere].com to send emails through a web site UI. I just used the UI to send an email from [myemail]@yahoo.com. And received an Undeliverable message at my yahoo email address.

mta1400.mail.ne1.yahoo.com rejected your message to the following e-mail addresses: [myemail]@yahoo.com mta1400.mail.ne1.yahoo.com gave this error: Message not accepted for policy reasons. See http://postmaster.yahoo.com/errors/postmaster-28.html

More information can be found here: http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html

Any help would be appreciated.

Was it helpful?

Solution

Yes Allan, you are correct in assuming that the anti-spoofing that Yahoo (and now AOL) have turned on is permanent. The technology they are using is called DMARC. Yahoo has published a DMARC record in their DNS:

$ dig TXT _dmarc.yahoo.com. +short "v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com;"

Every mail server that supports DMARC will look up that record in Yahoo's DNS and apply Yahoo's p=reject policy. In effect, what Yahoo has done is stated to the world, "if the email does not originate from this list of IPs (SPF) or bear this crytographic signature (DKIM), then reject (p=reject) it." Since your mail server is not in their list of mail servers IPs nor are the messages signed with Yahoo's DKIM key, a substantial and growing portion of the mail servers on the internet are going to reject it or deliver it to the Spam folder (Gmail).

In addition to the SPF & DKIM checks, DMARC also introduces the concept of alignment. In addition to passing SPF checks (which apply to the Envelope Sender), DMARC requires that the domain in the messages 'From' header passes SPF. This prevents you (and bad actors) from sending messages with a header From domain of Yahoo.com and an Envelope Sender domain of attacker.com, which the recipient will never see. This alignment also extends to the DKIM signature, requiring not just that the message is signed with DKIM, but also that the dkim signature domain (d= property) matches the From header domain.

we will just have to prevent users from using their yahoo email address in the sender email field

Coding in a check for the yahoo.com domain is a hack that won't last long. AOL has already joined the thousands of domain owners with DMARC p=reject policies. They won't be the last of the Very Large Email providers to publish p=reject DMARC policies. A much safer approach is to evaluate SPF against your mail servers public IP and the domain in the users selected email address. If the SPF check fails, then choose an option:

  1. Inform the user that their choice of domains doesn't permit 3rd party senders and they should choose another.

  2. Alter the From header to send from a domain you control:

    From: "user@yahoo.com via" <my-app@my-domain.com>

    As already stated, you could define Reply-To if you wish for replies to expose the senders real email address.

  3. Set up local usernames that forward to the sender's real email address. If you've used Craigslist, you're familiar with the idea. You maintain a mapping of local addresses and the email address they forward to.

Based on what you've said about your web application, it seems like #2 is the best fit.

OTHER TIPS

I have had a similar problem with mailing lists that I maintain (e-mails with a From address something@yahoo.com bounced). I solved my problem by changing the From, Reply-to and Errors-to fields of the e-mails' headers as follows:

From: Organization name <no-reply@somedomain.org>
Reply-to: my-email-address@yahoo.com
Errors-to: my-email-address@yahoo.com

I suspect that similar changes will fix your problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top