Yahoo, AOL, and Google Use DMARC to Combat Spam

October 20, 2015—In a move to better fight spammed messages, two of the world’s biggest mailbox providers, Yahoo and Google, will be implementing the DMARC protocol. DMARC stands for Domain-based Message Authentication, Reporting, & Conformance, a protocol introduced three and half years ago, which checks for email spoofing by referencing all incoming messages against both Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) validation systems.

DKIM uses a cryptographic signature to verify a sender’s domain. SPF, on the other hand, lets senders specify which hosts can carry their messages thereby making spoofed emails easier to identify. In the DMARC protocol, if DKIM and SPF checks aren’t verified, the email is then quarantined. In layman’s terms, DMARC will reject any mail spoofing an email provider’s domain if it does not come from said provider’s own servers.

While Yahoo has already been using DMARC in a large-scale capacity since last year, it announced last October 5th that it would expand its DMARC policy to addresses ending in and by November 2nd. The success of the Yahoo’s use of DMARC last year, had AOL following suit in response to a similar large-scale campaign targeting their marquee domain. Google will also be implementing the stricter DMARC to its hosted mailbox services in 2016.

Note that there were a small percentage of users who were negatively impacted by Yahoo and AOL’s DMARC implementation last year. Several workarounds had been deployed to address these issues since then. Two long-term solutions were also submitted to Internet Engineering Taskforce (IETF) for consideration. One of the proposed solutions is called the Authenticated Received Chain (ARC), the details of which can be found in this draft, which will be presented in the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting this year.

Comments are closed.