Month: May 2014

Yahoo’s New DMARC Policy: How It Affects Emails Sent Via Third-Party Services

Introduction

We are sure that if you use Quillcards, you want to know that we always make sure that we are delivering a high-quality service.

We are pleased to say that we have dealt immediately with a recent change in Yahoo’s policy that affects all businesses sending customers’ emails via third-party services.

This article is about how we at Quillcards have dealt with Yahoo’s change of policy and about why we needed to make the change.

It is a somewhat technical article, but stick with it because it is fairly straightforward.

Let’s start by looking at transactional emails.

What Are Transactional Emails

A transactional email is a one-to-one email of some kind.

You can contrast them with one-to-many emails such as newsletters that businesses send out to people on their email lists.

There are all kinds of transactional ‘one-to-one’ emails.

Some examples are the email that is sent when someone signs up to a service or the email that confirms when an online order has been placed.

In our case at Quillcards, we send several different kinds of transactional emails.

One of the most important, of course, is the email that tells a recipient that there’s an ecard waiting for them.

We also use emails to tell members when a Quillcards member’s membership is up for renewal and to notify a person who requests a sample ecard.

What Are Transactional Email Services

A company that sends emails as part of its business could send emails from the email servers on its own web host.

The problem is that the recipients reply, the company wouldn’t know very much about what happened to the emails they have sent.

For example, did the emails reach their destination? Did they bounce? Were they marked as spam? Were they rejected by the recipients’ servers?

That’s where transactional email services come in.

Transactional email services have methods of checking whether the emails are delivered or bounced, whether they are marked as spam, or whether they are rejected.

And that’s the reason that a lot of businesses route their emails via transactional email services like Mandrill.

Mandrill

Mandrill is a transactional email service that has web servers all over the world and hundreds of thousands of customers. It is efficient and fast.

And we at Quillcards use Mandrill for our email delivery.

As we mentioned, one of the most common emails that gets sent from Quillcards is the notification email that tells a recipient that there is an ecard waiting for them.

Until Yahoo changed its policy two weeks ago, we sent these notification emails from the email address of the Quillcards member.

And importantly, some of our members have Yahoo email addresses.

Yahoo Changed Its Domain Message Authentication (DMARC) Policy

Two weeks ago Yahoo changed its policy.

It now prohibits third-party services (like Mandrill) from sending emails on behalf of Yahoo email addresses.

In other words, Yahoo’s new policy is that Yahoo emails can only go direct from Yahoo’s web servers to the recipient.

Any Yahoo emails that are routed via non-Yahoo servers are not allowed to get through because Yahoo emails tell the receiving domains to reject them if they did not travel directly from Yahoo’s servers.

It’s a bit like a message on a letter telling the person who receives it to refuse to accept it.

The technical way that Yahoo sends this instruction is through its Domain-based Message Authentication, Reporting and Conformance policy (DMARC). It is a code hidden within an email that tells the receiving domain what to do with messages that did not travel direct from its servers to the recipient.

Why Yahoo Changed Its Policy

We don’t know for sure the reason behind Yahoo’s new policy, but Mandrill wrote on their blog about why they think Yahoo has made the change:

So far, Yahoo hasn’t made any information public about this change. There’s some speculation that it’s an attempt to stop targeted phishing attacks where attackers are sending ‘from’ someone’s yahoo.com address in an attempt to get information to compromise the Yahoo account.

That speculation may well be correct because Yahoo is a known target for phishing attacks.

What The Yahoo Change Means For Quillcards

Mandrill’s recommendation is:

If you’re sending on behalf of your users or others who have @yahoo.com addresses, you’ll want to change your emails to be sent ‘from’ a non-Yahoo address (probably your domain) with reference to the original sender’s address in the body. You can also set the ‘Reply-To’ header to include the original user’s Yahoo address if replies should go to them instead of you.

And that is what we have down in order to ensure that Quillcards members with Yahoo emails can continue to use Quillcards successfully.

To do that, we have changed the ‘sent-from’ address in the notification emails to [email protected] and set the ‘reply-to’ to the sender’s email address.

That way, the notification emails get through because it is from Quillcards email servers (not Yahoo’s) and recipients can hit the reply button and reply to the sender without going via Mandrill.

And that is the latest from us here at Quilcards concerning the complex world of email for businesses. 🙂