AOL has just announced that they are following Yahoo’s suit in telling the email-receiving world to reject (bounce) any email that has an aol.com “from” address, but doesn’t actually come through an AOL mail server. The now infamous “p=reject” DMARC policy that was adopted by Yahoo a week ago, and that caused countless headaches when Yahoo email started bouncing without warning, was adopted today by AOL.
Here’s how it works (this is greatly simplifed): when a receiving email server gets an incoming email, it takes note of several things which tell it where that inbound email comes from. It notes the IP address (which it may look up on a blacklist), and it notes the “from” address, and it also notes the domains from which the email actually was sent.
Let’s say, for example, that you send your email through your Gmail account, but you have it appear to be “from” your own personal domain, example.com.
In this example, the receiving mail server will see that the email is from you @example.com, but it will also see that your email actually came through gmail.com. The receiving mail server may (should) check with the server at example.com to see whether an email claiming to be from example.com, but actually sent from another domain, is legitimate. The way it will check will be to look up in standardized text files that should exist on the example.com server, that will have “policies” published regarding their email sending policies (including things that should say, in essence, “the gmail.com server is authorized to pretend to be example.com for the purpose of sending email”).
Now, take the Yahoo setup. By publishing a policy of “p=reject” in the DMARC authentication mechanism, Yahoo is saying “when you check with us to see if an email that claims to come from yahoo.com legitimate, if it says it is “from” user @yahoo.com, but the actual sending server is not a yahoo.com server, you should reject it.
This is the change that caused all of the headaches earlier this month. Because it was unexpected, and lots of people use their yahoo.com email address as their “from” address, but actually send their email through another server.
But, if you think about it, you can see Yahoo’s (and now AOL’s) reasoning. Spammers and scammers spoof Yahoo and AOL email addresses a lot. When they do that, the email is really coming from someplace else. Suddenly a whole bunch of spam and scam email is now being rejected and bounced, instead of getting through.
AOL made the move to “p=reject” today. Now, not all receiving mail servers are DMARC compliant, but those that are will be rejecting email from Yahoo and AOL addresses that was not actually sent through a Yahoo or AOL server.
And now you know why.
|Get notified of new Internet Patrol articles!