Over this last weekend (beginning on April 4), Yahoo began implementing stricter rules in regards to their authentication policies, as part of an ongoing effort to lower the risk of abuse and spam across the internet and email. Before I get into the specifics of what Yahoo did, there are a few points that I need to touch on so we all have a better understanding of the why of Yahoo’s action.
First of all, what is email authentication and why is it important?
Email authentication is a way for an internet service provider that manages incoming email (such as Gmail or Yahoo) to ensure that they will be able to recognize the sender of an incoming message. This allows the ISP to recognize and fight spam and abuse from “undesirable” senders, particularly phishers and their ilk.
Overall, email authentication ensures that the ISP recognizes that you, the sender, are who you say you are. This means they will not bar your email message’s delivery based on concern that you’re masquerading as someone else (as phishers do). And as a result of that, your legitimate email message will get to your recipients without those receivers having to worry unduly about the authenticity of your identity.
There are several types of email authentication, such as Sender ID, Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Messaging, Authentication and Reporting and Conformance (DMARC). Sender ID, SPF, and DKIM have been around for years and aid in fighting abuse and spam. DMARC was established in 2012 by a coalition of ISPs and industry experts, in a further attempt stop spam and abuse across the internet.
Many ISPs, such as Yahoo, have begun implementing DMARC. Unfortunately for any marketer using a third-party email service provider (such as Act-On or Responsys or Constant Contact, etc.), DMARC includes a protocol known as “domain alignment.” This means that the email authentication has to be from the same server as the address in the “From” line. And what that means, in the common tongue, is that any email with a Yahoo “From” address that does not come from a Yahoo server will probably be rejected.
So what does this mean for marketers?
A surprisingly large number of marketers send marketing emails from their personal email addresses. Yahoo’s use of DMARC means that if you are using a Yahoo email address (personal or not) in the “From” address of emails sent from any platform other than your Yahoo account, that email will bounce back and not be delivered. This will seriously affect your delivery and impede the success of your messages.
What do you need to do to lower your risk?
The easiest way you can mitigate risk is by simply updating your “From” address so it does not contain a Yahoo email address. I also recommend doing the same for a Gmail, AOL and Hotmail email address as well. As a best practice, you should be using a “From” address that your client can easily relate to your brand, such as email@example.com.
I also recommend, if you haven’t already, implement DKIM and SPF to ensure you are compliant with today’s standards and best practices. Once that is complete, start having conversations with your internal IT departments to see if DMARC is a necessity.
SO, why did Yahoo make the change?
Yahoo users have been attacked by spammers, and Yahoo has been in the media quite a bit in regard to an attack where many yahoo.com email addresses were compromised. In an effort to protect their end users, they put this DMARC policy in place. If you want the deep details, check this Monday, April 7 blog post from Laura Atkins, industry expert and co-founder of Word to the Wise: https://wordtothewise.com/2014/04/brief-dmarc-primer/
Prepare for more to come
Yahoo is just the first one of many ISPs that we expect will begin taking this step to stop abuse and spam. Protect your deliverability by being proactive and consistently updating your sending practices to meet the industry’s demands.
Read the white paper: Best Practices in Email Deliverability