If you have a yahoo.com email address, or if you run a mailing list, this will be important to you.
Summary: if you subscribe to mailing lists using a yahoo.com address, you might like to think about changing to another free email provider, because your mail may not be read by all of the list recipients. If you are a list master, you might like to impose a sanction on Yahoo addresses, because they will cause you to lose many of your subscribers. Yahoo has deployed a new anti-spam technology called DMARC (dmarc.org). It allows domain owners to indicate what they would like receivers to do with mail bearing their address in the From: field. Using either SPF (openspf.org) or DKIM (dkim.org), the domain owner certifies the legitimacy of the From: header, or brand. SPF and DKIM, or no check at all, is tested according to the policy, and if one or both or neither matches the domain name in the From: field, the message is passed. The policy can specify what should happen to passing email: either that it should be reported by HTTP or email to the domain owner, or rejected outright. Yahoo has changed its policy so that email is rejected. Why is this a problem? SPF: test that the return path's domain matches the designated networks, but only pass the test if the return path and From: field match. Test fails, because the mailing list server preserves the From: line, even as it remails the message to the subscribers. The return path is the bounce address of the list server, so the results of SPF aren't used, even though the SPF check itself might succeed. DKIM: test if the "d" parameter of a successful DKIM signature matches the From: field's domain. Test fails, because any signature from the original sender's domain will not verify a message that has been mangled by the list server (for example, Subject prefixes, signature footers, etc). This is a growing problem for mailing lists, many of which are, somewhat ironically, used for discussing these standards' development processes. Patches are available for Mailman, and it seems likely that other mailing list managers will follow; the remainder will surely die out. The goal of preventing phishing is certainly a noble one, and is spurring adoption. The trend is arguably not new. Google, notably, now already performs DMARC verification, and many email providers already restrict users to given sender addresses in outgoing email, including the cloud platforms such as Amazon SES. This is all meant to increase trust in the user-visible From: header, but is totally breaking the email infrastructure. I certainly can't help thinking that it's inevitable (with the Mailman patch, running a list using SES is quite possible), but I also think it's very sad to see so much lack of concern for the original intent of the email standards and the massive amount of deployed software already out there. Oh well. Cheers, Sabahattin --- Gamers mailing list __ Gamers@audyssey.org If you want to leave the list, send E-mail to gamers-unsubscr...@audyssey.org. You can make changes or update your subscription via the web, at http://audyssey.org/mailman/listinfo/gamers_audyssey.org. All messages are archived and can be searched and read at http://www.mail-archive.com/gamers@audyssey.org. If you have any questions or concerns regarding the management of the list, please send E-mail to gamers-ow...@audyssey.org.
