What is a CFL and how does it work?
  • Yahoo offers a free Complaint Feedback Loop (CFL) program to help email senders minimize complaint rates and improve their overall sending reputation.
  • If you participate, we will forward complaints from our users about emails sent from your organization that they consider to be spam.
  • If a message is signed with a DKIM key that is enrolled in the CFL program, Yahoo sends the enrolled address a message so that they can avoid sending further mail to that recipient.
  • Yahoo no longer offers IP or CIDR-based CFL reporting.
What do I need to set up a CFL?
  • The Complaint Feedback Loop program only supports DKIM-signed email and is a domain based service. IP address-based feedback loops are not supported. Senders are required to sign their outbound email with DKIM, so that Yahoo can determine the actual sender of an email.
  • To sign up for CFL, you'll need to fill out a new CFL application, making sure to use a dedicated email address to receive your reports.
  • After your application is processed, a verification email will be sent to postmaster@(your DKIM domain). You will have to click on the confirmation URL in this email for every domain and DKIM sector you enroll.
  • If you forget the CFL address or lose access to that email, fill out a CFL application, but select Update from the “Request type” drop-down menu.
  • If you'd like to stop receiving reports, fill out a CFL application and select Delete under “Request type.” Once we process your submission, you'll stop receiving CFL reports for the given domain.
What is the format of a CFL?
  • All reports are provided in the Abuse Reporting Format (ARF). They include the full email headers, the original message body and some additional machine readable meta-data.
  • Email header information specific to Yahoo ARF reports:
    • The From: header reads: 'Yahoo! Mail AntiSpam Feedback'.
    • The SMTP MAIL FROM (envelope sender) is formatted as: 'feedback@arf.mail.yahoo.com'.
    • CFL is DKIM signed with domain 'arf.mail.yahoo.com'.
  • Abuse Reporting Format basics
    • The Abuse Reporting Format is used by most complaint feedback loops. They're meant to be extensible and typically provide generic spam reporting info. The reports are provided in MIME format.
    • The report includes at a minimum 3 parts:
      • A plain text part with a generic message
      • A MIME formatted part - machine readable meta-data
      • The original message
    • Review an example report from the ARF RFC.
  • If you are unfamiliar with any of the topics discussed above, we recommend these resources from Wikipedia or IETF to learn more:
What is DMARC?
  • Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.
  • DMARC standardizes how email receivers perform email authentication using the well known SPF and DKIM mechanisms. This means that senders should experience consistent authentication results for their messages at any email receiver implementing DMARC.
  • A DMARC policy lets a sender indicate their emails are protected by SPF and/or DKIM. It tells a receiver what to do if neither authentication passes, such as rejecting the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
  • Senders use DKIM (Domain Keys Identified Mail) to create a signature of the content of email messages.
  • Senders use SPF (Sender Policy Framework) to specify the list of IPs which are allowed to send mail for a domain.
  • DMARC policies are published in the public Domain Name System (DNS), and available to everyone. The IETF has accepted the DMARC specification as an Independent Submission and it is published as RFC 7489.
How will DMARC improve deliverability?
  • DMARC allows senders to specify how receivers can act on email which may not be sent from their domains. Depending on the policy published by the sender it may get rejected, or go to the spam folder or no action may be taken.
  • DMARC primarily protects you from third parties forging your domain. If that is a current problem for you, it will probably also improve deliverability.
How does Yahoo use DMARC?
  • Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
  • DMARC, an industry consortium to promote safer email and reduce spoofing, is supported and honored by Yahoo.
  • If a domain is protected by DMARC with “p=reject”, any message without a proper DKIM signature or SPF alignment will be rejected by Yahoo's mail servers.
  • Yahoo also publishes DMARC policies as a sender that guides receivers (including Yahoo, Aol, Hotmail, and Gmail) to reject email (p=reject) that may not be legitimately sent by Yahoo.
  • Our DMARC policy proactively protects our users from email spam that mimics Yahoo's email addresses from other mail servers. This helps secure our users' email identities from being used by unauthorized senders, however, it can also interfere with some long-standing uses of identities that are authorized by the user but not verifiable.
  • For more information, see our Sender Best Practices, DMARC.org, DKIM.org, and OpenSPF.org.
What is SPF?
  • SPF (Sender Policy Framework) is an email validation protocol designed to detect and block email that originates from outside the specific set of IP addresses that a domain has authorized.
  • SPF records allow Yahoo to reject messages which originate from IPs not listed in the domain's SPF record.
  • For details, please refer to the SPF site.
What is DKIM?
  • DKIM (Domain Keys Identified Mail) is an email authentication standard. It uses a public/private encrypted key approach to authenticate the domain responsible for an email.
  • DKIM lets senders digitally sign their emails sent to Yahoo mail accounts, associating the digital signature with the actual domain name of that organization.
  • DKIM enables Yahoo to associate a message verifiably with a specific handler and ensure that it has not been changed since the signature was added.
  • For more information, please refer to the DKIM site.
How are multiple DKIM signatures evaluated?
  • Yahoo evaluates all DKIM signatures and uses the results to determine DMARC alignment, to calculate reputation, and ascertain CFL fulfillment.
  • If a mail message has multiple DMARC-aligned signatures and they do not all pass, Yahoo does not guarantee that it will pass DMARC.
How does Yahoo determine a mailer's overall reputation?
  • Yahoo considers many factors including, but not limited to:
    • IP address reputation
    • URL reputation
    • Domain reputation
    • Sender reputation
    • ASN (Autonomous System Number) reputation
    • DKIM (DomainKeys Identified Mail) signatures
    • DMARC (Domain-based Message Authentication Reporting and Conformance) authentication
  • Even if you have a reputable sending history, users can vote your email as spam and affect your overall reputation.
  • So, if you want to get your emails to the inbox, our Sender Best Practices recommends sending relevant content to the users who want it and have opted to receive it.
My domain reputation is good — but my message is in the spam folder. Why?
  • Mail can be redirected to the Spam folder for various reasons. A combination of poor reputation and high complaints can cause mail to be directed to the Spam folder.
  • We usually do not redirect mail to the Spam folder for poor reputation alone. It can be a combination of reputation with other poor mailing characteristics like:
    • Obfuscation of URL’s in body of mail
    • IP’s which do not have a FQDN in their rDNS
    • Not RFC compliant
  • We also recommend that you adhere to our Sender Best Practices requirements for sending mail.
What actions can a sender take to improve delivery to Yahoo domains?
  • Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
  • Review our Sender Best Practices and make changes where appropriate.
  • Opt out users who have marked your email as spam in the past. Enroll in the Yahoo CFL program to get that information.
  • Send different email content types via separate IPs and streams. If you start sending unsolicited commercial email using the same IPs as transactional email, your sending reputation can be impacted.
  • Make sure your emails are DKIM signed. DKIM signature helps Yahoo authenticate that email is safe, secure and from the senders who claim to send it.
  • Control your email traffic. If you send emails at a certain rate and suddenly have a spike of activity, you could get flagged as a compromised sender and marked as spam. Instead, plan your campaign and spread it out over a period of time.
  • Check your email content. If the subject lines are not helpful or appear to be generic, users may not be interested and mark it as spam. When many users mark an email you send as spam, it can impact your overall deliverability.
  • Publish reverse DNS (PTR) records for your sending IPs. Yahoo is more likely to downgrade an IP's sending reputation if there isn't a reverse DNS entry for your IP address. Not having a reverse DNS entry can cause your mailing IP to look like a dynamically-assigned IP instead of a static mail server.
How can I get my Email delivered to Yahoo inboxes?
  • Yahoo advises senders to adher to high-quality methods to improve deliverability. See our Sender Best Practices.
  • Yahoo understands email is a mission critical real-time service for all its users. No one wants to miss an email or have it delayed. We work very hard to ensure a high quality of service so the right mail reaches the right user at the right time.
  • At the same time, we have to make sure our users are protected from unwanted email, especially spam, viruses and malware. To that end, we have a complex anti-spam filtering system that weeds out unwanted email before it reaches the inbox.
  • There are several factors that determine which emails land in the inbox and which goes to spam. Even if Yahoo's systems are not filtering out the email, the user may have specifically blocked certain domains and email addresses. These user rules will override the determination by Yahoo's spam filtering system and still put the email in the spam folder. Again, this is entirely between the sender and user.
Can Yahoo whitelist my IPs?
  • No. The term whitelisting tends to imply guaranteed inbox delivery. Yahoo does not have a whitelisting program.
  • If you are having difficulty sending to us or have reason to anticipate difficulty (a large launch or a legal notification, for instance) you can notify us by submitting a Sender Support Request.
  • Based on our review, we'll modify your reputation in our systems if needed. Keep in mind that still doesn't guarantee inbox delivery.
I just added IPs/domains to my account but they can't send. Why?
  • If you're having difficulties sending to a Yahoo email address and are a new sender or have a new IP, fill out the Sender Support Request. Make sure to include the error and diagnostic codes in your logs.
  • We'll review the info provided and will modify your reputation as needed.
  • Keep in mind we cannot guarantee inbox delivery and you should always follow our Sender Best Practices.
What is the maximum message size Yahoo accepts?
  • Yahoo will accept an attachment up to approximately 25 megabytes but various factors may influence how large a document you can attach.
  • This size limit cannot be configured by the member, nor adjusted by the Postmaster team.
How do I report abuse by Yahoo customers?
  • If you receive content from any Yahoo domain that violates our Terms of Service, let us know right away.
  • In many cases, you can report inappropriate content directly from our products by reporting the message as Spam.
  • If a Yahoo mail account is sending you Spam, you can inform us via the Report Abuse form.
  • When reporting junk, abusive or unwanted email from Yahoo members, please include the full text of the message along with the full header information. Lacking the header information, we cannot determine the actual source of the email.
Can I get access to more than just CFL data?
  • Yahoo will display your BIMI logo if:
    • A BIMI record exists which points to a valid logo in SVG format
    • A DMARC policy of quarantine or reject is in place
    • The mailing is sent to large number of recipients (bulk mail)
    • And we see sufficient reputation and engagement for the email address
  • If you think all of those requirements are met but still no logo is displayed, please reach out to mail-questions@yahooinc.com and provide as much details as possible.