Private Sender nobody at
Thu Apr 17 04:19:18 UTC 2014

On 04/14/2014 03:47 PM, Jim Popovitch wrote:
> On Mon, Apr 14, 2014 at 6:21 PM, Scott Howard <scott at> wrote:
>> On Mon, Apr 14, 2014 at 2:59 PM, Jim Popovitch <jimpop at> wrote:
>>> 7-April: Monday, Yahoo's dmarc change kicks everyone in the groin, the
>>> last full week before the US tax filing deadline.
>> The change was made on the previous Friday, so that date is largely
>> irrelevant.
>>> 7-April: OpenSSL's *public* advisory (after a full week of private
>>> notifications, of which yahoo surely was one tech company in on the
>>> early notifications)
>> Given that many of their main services were vulnerable at the time of public
>> disclosure, I think that's a very large assumption to make...
>> If nothing else, I suspect the odds of it being known by the same people
>> that made the DMARC decision/changes is low.
> I think you are right on that, but that doesn't change the fact that
> the sum of those things overburdened a lot of mailinglist operators.
> It is what it is, and the press has covered it and mailinglists are
> blocking/unsub'ing yahoo accounts in order to cope.
> -Jim P.

I'm sorry but is there a fundamental misunderstanding of dmarc going on
in this thread? Yahoo doesn't want you to be able to send ""
email from anything other than THEIR servers which contain the private
key that corresponds to their DKIM implementation, and conversely dmarc.
"p=reject" tells the receiving domain to reject the message if it isn't
signed by the private key that corresponds with the public key that is
in the dkim txt record for "" 

Isn't this the whole point of dmarc? Stop spammers from sending email
with "" that doesn't originate from a valid yahoo email server.

Yahoo's implementation of dmarc is working as intended.

Stealing someones password, and logging into their yahoo mail account
and spamming isn't going to matter to dmarc. The mail originated from
yahoo, and it was an authenticated user; the mail will be signed with
the DKIM key, it will be accepted by the receiving domain (unless the
email address is blacklisted by the receiving domain).

There is no need to flame a company because they implemented a policy to
ensure QoS to their customers. Either push your mail through their
servers, or Just find somewhere else you can push your mailing lists


More information about the NANOG mailing list