4/25/14 Update: Renamed post to “DMARC” instead of Yahoo now that Aol has their DMARC policy set to reject: http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/
After spending sometime the last couple of days checking and rechecking my SPF settings I figured out today it was a change Yahoo made that broke message delivery to external recipients. Yahoo made this change “over the weekend” per some news articles, I first noticed NDRs dues to this on Monday 4/7/2014
The issue is that Yahoo changed their DMARC, which is made up for SPF and/or DKIM settings/policies, to “p=reject” which tells receiving email servers to reject emails from yahoo.com addresses that don’t originate from its servers. So if a Yahoo users sends an e-mail to yourmailinglist@yourorg.com and it contains recipients at @yahoo, @gmail, @msn, @hotmail, @outlook.com, @comcast, and many other email providers that check the original sending servers (Yahoo in the case) policy they will reject the mail. This is because the sending server of the e-mail is yourorg.com and not yahoo.com.
Yahoo did this to help reduce spam that is being sent from accounts on their servers to mailing list that contains external recipients. But they basically “broke every mailing list in the world” to quote some of the many news articles I found today about this issue.
At this time there the only workaround for Exchange clients is to use the EDGE role and setup address rewrite rules. Here is an article on Using Header Rewriting with Exchange Server 2010 that should help with that.
I’m hoping Yahoo fixes this policy setting ASAP! I will update this post as I learn more!
Errors users\DL owners will see:
mta1386.mail.bf1.yahoo.com gave this error:
Message not accepted for policy reasons. See http://postmaster.yahoo.com/errors/postmaster-28.html
mx3.hotmail.com # #SMTP#
imta13.westchester.pa.mail.comcast.net gave this error:
oFxW1n00k0D7utr0DFxXU1 Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001
BAY0-MC3-F11.Bay0.hotmail.com gave this error:
(BAY0-MC3-F11) Unfortunately, messages from (63.227.36.10) on behalf of (yahoo.com) could not be delivered due to domain owner policy restrictions.
The only workarounds that I’m aware of at this time is to use an EDGE address rewrite rule to have any messages sent to a DL to have their From address to be the DLs, instead of the sending users. The other is to enable moderation on your DLs that have external recipients and for any coming from yahoo.com or aol.com (currently, but more will be added in the future I’m sure) resent them manually from the DL or a mailbox.
I’m hoping to hear back from some of my peers soon on better workarounds.
Good blog post on DMARC and why the rejection is happening and why this is a good thing, in general: http://huitema.wordpress.com/2014/04/21/about-dmarc-or-can-email-evolve/.
Yahoo’s article on their DMARC policy and how to deal with it, but doesn’t have any info on Microsoft Exchange: http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do
Articles about this issue:
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
http://www.theregister.co.uk/2014/04/08/yahoo_breaks_every_mailing_list_in_the_world_says_email_guru/
http://thehackernews.com/2014/04/yahoos-new-dmarc-policy-destroys-every.html
http://www.circleid.com/posts/20140408_yahoo_addresses_a_security_problem_by_breaking_every_mailing_list/
http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html
Jason (Izzy) Sherry's Blog 
If enough people feel the pain of this, they will stop using yahoo.
LikeLike
aol.com now has their DMARC policy set to reject and I’m sure others will follow.
So we need an option in Exchange to change the From address to the DL instead of the sending user. With an EDGE server this can be done.
LikeLike
Mainly DMARC builds upon both the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) specifications that are currently being developed within the IETF. DMARC is designed to replace ADSP by adding support for:
1) wildcarding or subdomain policies,
2) non-existent subdomains,
3) slow rollout (e.g. percent experiments)
4) SPF
5) quarantine mailing lists<
LikeLike
From a user as a workaround, which does work but requires a mailbox for each DL and multiple manual setup steps. I also recommend using Transport rules and/or Delivery restrictions to limit who\want can be sent to the mailbox\DL. I have setup something like this for one of my DLs, but I host over 20 and instead I’m working on getting ListSrv (http://www.lsoft.com/products/listserv.asp) setup instread for a better solution.
_______________________________
Thankfully I found one – it’s not the greatest but it works. Here’s what I did:
Let’s say the distro list was allcompany@mycompany.com
Change distro list to allcompany-distro@mycompany.com
Create a new user mailbox with the address allcompany@mycompany.com
Setup an inbox rule on the new user mailbox that says “forward all emails received by this inbox to allcompany-distro@mycompany.com”
Be sure to add allcompany@mycompany.com as an authorized sender for the distro list.
Be aware this will defeat the security of the distro list if you have it set to only allow those on the list to send to the list. This is because anyone who knows “allcompany@mycompany.com” can now send to it without having to be on the list as “allcompany@mycompany.com” is authorized and is blind-forwarding all messages to the distro list; however, I’d rather have this & a powerful antispam filter than have my emails bounce.
So… why does this setup work?
It works because the original senders email (eg. with a yahoo / comcast / aol / etc.) account is accepted by the user inbox “allcompany@mycompany.com” – That inbox then forwards the email to the distro list “allcompany-distro@mycompany.com” – that forwarded email is now coming from “allcompany@mycompany.com” moving the original senders info to the forwarded portion of the email. Therefore, when the email comes out of the distro list, it’s coming from “allcompany@mycompany.com” – and AOL, Yahoo, Comcast all accept it because we are authorized to send email from our own email server.
LikeLike
Pingback: DMARC Workaround for @yahoo & @aol sending to DL with external recipients | Jason (Izzy) Sherry's Blog
Blog post here with a slightly better work around and details on how to set it up.
https://blog.jasonsherry.net/2014/11/21/dmarc-workaround-for-yahoo-aol-sending-to-dl-with-external-recipients/
LikeLike