Mail delivery failed: Yahoo.com DMARC Policy

dmrac

Problem:
Mail delivery fails from Yahoo.com senders.
Mail delivery fails when sender uses a yahoo.com email address and your form is sending to a gmail email address. May also happen if the mail is sent to Hotmail/MSN/Outlook or Comcast, possibly even others.

Returned mail Error:
Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xxxxx@gmail.com
SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [173.194.77.27]:
550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain’s
550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if
550-5.7.1 this was a legitimate mail. Please visit
550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC
550 5.7.1 initiative. so6si9116513obb.53 – gsmtp

Explanation:
Yahoo has implemented new DMARC security policy in April 2014 that requires all e-mail sent from a Yahoo address to actually come from Yahoo servers or it must be rejected. See:https://productforums.google.com/d/topic/gmail/i5bT0eqkDUY/discussion

The DMARC specification introduces the concept of aligned identifiers, which requires the SPF or DKIM validation domains to be the same as or sub-domains of the domain for the email address in the “from” field. The domain owners can use a DMARC policy setting called “p=” to tell receiving email servers what should happen if the DMARC check fails. The possible values for this setting can be “none” or “reject.”

Over the weekend Yahoo published a DMARC record with “p=reject” essentially telling all receiving email servers to reject emails from yahoo.com addresses that don’t originate from its servers. Gmail is now rejecting the yahoo.com mail sent from your contact form.

Both Gmail and Yahoo.com are now starting to follow DMARC guidelines in order to combat the amount of spam going to their services. The way DMARC works organizations like yahoo.com are now instructing other mail providers to reject emails with the FROM: header listed as a yahoo.com address if the message fails SPF or DKIM checks. Your form is doing the following, It’s using the visitors address as the FROM address in the mail headers.

When you use a yahoo.com address in the contact form, the email is going to the Gmail account you have this configured to go to and the headers contain in the FROM: field the yahoo address that was put in the form. Google now honors yahoo.com’s DMARC policy which means that they will reject they email as yahoo.com policy directs other mail providers to reject emails that fail those checks. This unfortunately is not an issue with our mail servers.

The contact form plugin is not causing this problem, yahoo did. But since yahoo made these changes, other providers like AOL and Comcast did it also. This might be the new normal now and other providers might soon follow.

Related News article:
Computerworld: Yahoo email anti-spoofing policy breaks mailing lists

Fast Secure Contact Form DMARC Compliant Email Settings

Instructions to properly configure the email settings:

For best mail delivery results, be sure to properly configure the email settings on the Basic Settings tab.
Watch this YouTube video  demonstrating the Basic Settings in Fast Secure Contact Form

Set the “Return-path address” setting to a real email address on the SAME domain as your web site. This step really is ALWAYS necessary so mail is properly identified as originating from your server. For best results the “Email To” and the “Return-path address” should ALWAYS be separate REAL email addresses on the SAME DOMAIN as your web site (don’t skip this important step!).

Some people will like to set the “Email To” to a gmail.com, outlook.com, or some other webmail address (if that is what you want, go ahead and try it), but the “Return-path address” should ALWAYS be set to a real email addresses on the SAME DOMAIN as your web site. If you try a webmail address and your mail is not sending, try changing the “Email to” address to a REAL email addresses on the SAME DOMAIN as your web site. You can still deliver it to your webmail address by forwarding the email from a setting in your hosting control panel, or configuring your webmail to fetch a mail account.

Next step, check this setting box:
Enable when web host requires “Mail From” strictly tied to site (don’t skip this important step!).

Click “Save Changes”, then test your form’s mail delivery by sending a message from the form on your page. When testing your form on your page, do not fill out the email field with the same email address as the “Email To” or “Return-path address”. Use a different email address because some server’s security settings do not allow email to send from/to the same address.

If you have other forms in use, be sure to repeat these settings for each form.

Now your email is properly configured for best delivery. Your form Email should now be DMARC compliant for any of your users who submit the forms with Yahoo, AOL, Comcast, or any other provider who now requires DMARC compliance.

The email you receive will appear to be from your site email address, but because the email header “Reply-to” is set as the form user’s email address. You should be able to just hit reply and send email back to the real sender. Also you should see the sender’s email address in the message content. So it is still possible to send mail to that address if the “Reply-to” is somehow ignored by your email program.

fscf-email-settings

 

 

We are grateful to fastsecurecontactform.com for this article .

 

/by