Yahoo DMARC Policy Change - What Should Senders Do?

By The Yahoo Mail Team

We recently changed our DMARC policy to proactively protect our users from increasing email spam that uses Yahoo users’ email addresses from other mail servers. This is an important step to secure our users’ email identities from being used by unauthorized senders. It also interferes with some long-standing uses of identities that are authorized by the user but not verifiable.

By publishing a “p=reject” record, Yahoo tells other DMARC compliant systems  to reject mail from Yahoo users that isn’t genuinely originated from a Yahoo server. This affects only mail with Yahoo addresses on the From: line, like this:

From: “Example Sender” <example-sender@yahoo.com>

To: “Favorite Recipient” <recipient@domain.example>

Subject: Testing Email!


If you are sending email messages on behalf of a user with an email address at Yahoo, your messages will be rejected due to failed authentication. Many kinds of companies might do this. For instance

  • Email Service Providers (ESPs) sending for businesses using Yahoo addresses

  • Services coordinating groups of people, like mailing lists, sports teams, online courses

  • Websites where visitors may share with their friends via email, like news and shopping sites

  • Other small business services, including business web portals and calendaring solutions, that send mail between customers and businesses

  • ISPs and other mailbox services that allow their customers to send mail with addresses outside the service’s control

  • Mail forwarding services


If you are sending on behalf of a business, what should you do?

Businesses are going to be best served by using addresses they control, so we recommend that they move to sending mail from their own domain.

From: “Example Sender” <example-sender@senders-r-us.example>

To: “Favorite Recipient” <recipient@domain.example>

Subject: Testing Email!


Another solution would be to use an address you control, which could be a dedicated address at your site, or a single address for different senders. Let’s pretend you are “b2b.example”. One way would be:

From: “Example Sender” <example-sender@b2b.example>

Or you could do:

Reply-to: “Example Sender” <example-sender@yahoo.com>

From: “Example Sender” <noreply@b2b.example>



If your website provides the ability to share items in email, what should you do?

If you are sending on behalf of individuals, we recommend that you send mail from your own domain. You can set a Reply-To: header with their email address so that people can reply to the sharer instead of to you. Let’s pretend you are “sharing.example”:

Reply-to: “Example Sender” <example-sender@yahoo.com>

From: “Example Sender” <noreply@sharing.example>

If you are an ISP or email provider and your users want to use Yahoo addresses, what should you do?

Consider allowing customers to connect directly to Yahoo SMTP servers, or contact us at dmarc-help@yahoo-inc.com to discuss authentication and configuration options.

If you are a mailing list owner, what should you do?

Mailing lists are a special case of sending mail on behalf of individuals. The most common option is to use the mailing list’s address instead of the sender’s on the From: line. This will change the reply behavior. Some mailing lists also choose to act as pure forwarders and resend the mail without breaking DKIM signatures. As of this publication, no common mailing list packages provide straightforward configuration options that produce DMARC compatibility, although Mailman has relevant features starting in 2.1.16. If you are a developer of mailing list software and would like help adding features to allow participants from domains with DMARC p=reject, please contact us at dmarc-help@yahoo-inc.com.

More information about the DMARC specification and implementation advice is available at http://dmarc.org/