AOL, Yahoo email problems show limits of email security

Summary:Two very large email providers decide to deal with phishing and other attacks by setting a harsh DMARC policy, causing a storm of bounce messages.

For over ten years, standards bodies and others have worked to add measures of authentication to the SMTP email system in order to stop abusive email. A very large percentage of abusive email employs some technique to hide its true origin, the classic example being the phishing message that purportedly comes from support@paypal.com.

The current state of the art in email authentication is DMARC (Domain-based Message Authentication, Reporting & Conformance), which mixes DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) to strengthen confidence that mail that says it is "From:" a certain domain is, in fact, from that domain.

But, as shown by John Levine, who has long been involved in the drafting of these standards, both AOL and Yahoo have recently taken DMARC a bit too seriously, causing more trouble than the solved. If you have been receiving a lot of bounce messages lately, it's likely because of this problem.

spoof-email[1]
"Yahoo: How can I recognize a phishing email?"

Here is Levine's definition of the relevant parts of DMARC. It's medium-technical, but there's no way to give a complete explanation in the space I have here:

    DMARC lets a domain owner make assertions about mail that has their domain in the address on the From: line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. The domain owner can also offer policy advice about what to do with mail that doesn't have matching DKIM or SPF, ranging from nothing to reject the mail in the SMTP session. The assertions are in the DNS, in a TXT record at _dmarc.domain. You can see mine at _dmarc.taugh.com.

Perhaps out of frustration with all the phishing and other abuse using their domains, both AOL and Yahoo have recently published DMARC policies to reject email purportedly from: their domains which fails DMARC tests. The problem with this is that lots of legitimate email fails DMARC tests, the most prominent example being mailing lists. Lists commonly modify various headers in when sending content out, so when a message from: an AOL or Yahoo user goes to a mailing list, and the mail server for recipients of the message checks DMARC, it will reject the message and send a bounce.

As Levine says, this is understandable, if not excusable. The policy blocks a lot of spam, but a lot of legit mail in the process. AOL and Yahoo so far are suggesting that everyone change the way they have always done things in order to work within the new restrictions.

It may end up this way, that mailing lists and other mechanisms (like "Send this article") which modify headers will have to compromise their usability in order to accommodate DMARC. Email security wasn't supposed to have so much collateral damage.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.