On April 4, Yahoo! took one giant step forward for email-kind when they requested all Internet email receivers to stop receiving mail purporting to be From: Yahoo!, that is not authentic. This is done with a “DMARC reject” policy. More recently Yahoo! explained their stance in a blog post.
“And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
Every day, email is used for malicious purposes. Last year RSA reported there were 450k phishing attacks causing global losses of $6B, and the Verizon data breach report revealed 95% of state-sponsored espionage attacks use phishing emails to establish a foothold. These attacks are all enabled by email’s “original sin” – built in 1982, the 32 year-old technology did not enable anyone to determine if a message is really from the purported sender – be it yahoo.com, agari.com or whitehouse.gov. Agari has been working on this problem for many years, and thanks to the new DMARC technology, we can take away email from the criminals.
To accomplish this, each company, like Yahoo!, has to take their domains back from the criminals. In Yahoo!’s case, there have been many different legitimate uses of yahoo.com that have developed over the last 20 years, but companies sending marketing email From: Yahoo.com or using mailing lists that don’t support DMARC are going to have to change. Change is never easy, but in this case it will leave us with a better Internet. For everyone.