FAQs
General
What are the new requirements for senders in 2024?
- You can view the new requirements on our Sender Requirements & Recommendations page here.
How does Yahoo classify a “bulk sender”?
- For the purposes of enforcement, a “sender” is viewed at the authenticated domain or From header domain level. However, we will use all of the information available (content, IP, etc.) to review sender compliance.
- A “bulk” sender is classified as an email sender sending a significant volume of mail. We will not specify a volume threshold.
Does the number of spoofed emails count towards Yahoo thresholds for a bulk sender?
- Yes, those emails will count towards the mail we look at for enforcement.
- If you have a spoofing problem, you should be implementing a DMARC enforcement policy (p=quarantine or p=reject) regardless.
When will these requirements go into effect?
- Enforcement will begin in February 2024, and we will continue to gradually roll out enforcement as we monitor compliance metrics
- Note: Enforcement of the List-Unsubscribe policy will begin in June 2024.
What will happen to my mail if I don't meet the requirements?
- If you do not meet the requirements, your mail may be sent to the spam folder or rejected.
- If mail is rejected, we will return a specific error code with information about the rejection.
Do these requirements apply to AOL too? What about Yahoo Japan?
- These requirements apply for all domains and consumer email brands hosted by Yahoo Mail.
- Yahoo Japan is a separate entity, and we cannot speak to their plans as we do not coordinate with them.
Complaint Rate
Where can I see the spam complaint rate for my domain?
- Sign up for the Complaint Feedback Loop and monitor complaints received against mail sent to Yahoo domains.
- Keep an eye on the Sender Hub for additional resources to come.
What timeframe is used to calculate the spam complaint rate for enforcement?
- Our system continuously evaluates mail, and we may defer mail from domains with a high complaint rate. This will not change.
Unsubscribe
Is one-click unsubscribe required for all of my mail?
- No, one-click unsubscribe is only required for promotional/marketing messages. The requirement does not apply to transactional messages (e.g. order confirmations, password resets).
- We will not make the determination of what mail should and should not contain an unsubscribe link. You should rely on local regulations and your best judgment based on user behavior.
- If you see high complaint rates for mail that is not legally required to have an unsubscribe link, it may be in your best interest to include a one-click unsubscribe option to reduce the chance of delivery issues, and give users an easy way to stop receiving those messages.
Is an unsubscribe link in the body of the message sufficient?
- No, you must implement the list-unsubscribe header (preferably according to RFC 8058) in order to meet the requirement for one-click unsubscribe.
- You may also have an unsubscribe link in the body of the message, which can direct to a preference page.
- For more information, please refer to our detailed page
- Enforcement of one-click unsubscribe will begin in June 2024
Is there a grace period for a non-functional unsubscribe link?
- If the unsubscribe is not honored in 2 days, then it would not meet the requirement.
When will I see the blue “Unsubscribe” option next to my From address in the messages I send?
- If you have correctly set up the List-Unsubscribe header (according to RFC 8058), and we see sufficient reputation and engagement for your sending email address.
- When testing your List-Unsubscribe setup, please use Yahoo webmail: https://mail.yahoo.com/
What is the Complaint Feedback Loop?
- The Complaint Feedback Loop (CFL) is a service that provides a report (in ARF format) back to the sender of an email message once a user marks it as spam.
- In order to receive these reports, your DKIM domain(s) (d= part of the DKIM signature) must be enrolled in the service. More information can be found at: https://senders.yahooinc.com/complaint-feedback-loop/
How do I know if I need to enroll in the Complaint Feedback Loop (CFL)?
- If you are a bulk email sender, your domain should be enrolled in the CFL to manage and monitor complaints for your emails.
- If you use an email service provider (ESP) to send your email, they will generally enroll your domain on your behalf and process complaints. Please check with them to ensure you are enrolled.
If I already enrolled in the Complaint Feedback Loop (CFL) via the previous form, do I need to enroll again?
- Yes, in order to continue receiving complaint reports (ARFs), you will need to sign up for a Sender Hub account, add and verify your domains, and enroll them in the CFL via the new system.
Will there be a grace period if we cannot complete the Complaint Feedback Loop enrollment in the new Sender Hub Dashboard system by the deadline?
- No, you will stop receiving ARF reports if you are not set up in the new database by August 1, 2024.
How do I know if my CFL enrollment was successful?
- In your Sender Hub profile, under the Manage Services → Complaint Feedback Loop section, it will show the enrollment status of domains that have been added to your account and verified. If you do not see the domain you are looking for, you must first add it under the Domains section of your account, and verify it.
Can I use any reporting email address for the CFL?
- Yes, it can be any address that you control for the enrollment. It does not need to match the From/DKIM signed domain.
- Note: You will need to verify control of this address during the enrollment process by receiving a code and entering it. After this one-time verification process, you will be able to use the same address to enroll additional domains in the CFL.
If I enroll my organizational domain, will my sub-domains be automatically enrolled?
- ARF reports are sent if the DKIM domain is enrolled and emails matching the DKIM domain (d= in the signature) are marked as spam.
Does Yahoo offer an IP-based feedback loop?
- Yahoo no longer offers IP or CIDR-based CFL reporting.
How do I update or delete my CFL record?
- Simply log in to your Sender Hub account, click on Manage Services → Complaint Feedback Loop and edit the enrollment delete the enrollment for your domain(s).
Will I also receive ARFs for AOL?
- Yes, we will send ARF reports for any of the thousands of domains we host and support.
What is the format of a CFL report?
- All reports are provided in the Abuse Reporting Format (ARF). They include the full email headers, the original message body and some additional machine readable meta-data.
- Email header information specific to Yahoo ARF reports:
- The From: header reads: 'Yahoo! Mail AntiSpam Feedback'.
- The SMTP MAIL FROM (envelope sender) is formatted as: 'feedback@arf.mail.yahoo.com'.
- CFL is DKIM signed with domain 'arf.mail.yahoo.com'.
- Abuse Reporting Format basics
- The Abuse Reporting Format is used by most complaint feedback loops. They're meant to be extensible and typically provide generic spam reporting info. The reports are provided in MIME format.
- The report includes at a minimum 3 parts:
- A plain text part with a generic message
- A MIME formatted part - machine readable meta-data
- The original message
- Review an example report from the ARF RFC.
- If you are unfamiliar with any of the topics discussed above, we recommend these resources from Wikipedia or IETF to learn more:
- Abuse Reporting Format - The standard format for Complaint Feedback Loop reports.
- MIME Format - Multipurpose Internet Mail extensions internet standard.
- Complaint Feedback Loop - Interorganizational feedback program for spam related user complaints.
- RFC 5965 - An extensible format for email feedback reports (ARF).
What is DMARC?
- Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.
- DMARC standardizes how email receivers perform email authentication using the well known SPF and DKIM mechanisms. This means that senders should experience consistent authentication results for their messages at any email receiver implementing DMARC.
- A DMARC policy lets a sender indicate their emails are protected by SPF and/or DKIM. It tells a receiver what to do if neither authentication passes, such as rejecting the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
- Senders use DKIM (Domain Keys Identified Mail) to create a signature of the content of email messages.
- Senders use SPF (Sender Policy Framework) to specify the list of IPs which are allowed to send mail for a domain.
- DMARC policies are published in the public Domain Name System (DNS), and available to everyone. The IETF has accepted the DMARC specification as an Independent Submission and it is published as RFC 7489.
How will DMARC improve deliverability?
- DMARC allows senders to specify how receivers can act on email which may not be sent from their domains. Depending on the policy published by the sender it may get rejected, or go to the spam folder or no action may be taken.
- DMARC primarily protects you from third parties forging your domain. If that is a current problem for you, it will probably also improve deliverability.
How does Yahoo use DMARC?
- Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
- DMARC, an industry consortium to promote safer email and reduce spoofing, is supported and honored by Yahoo.
- If a domain is protected by DMARC with “p=reject”, any message without a proper DKIM signature or SPF alignment will be rejected by Yahoo's mail servers.
- Yahoo also publishes DMARC policies as a sender that guides receivers (including Yahoo, Aol, Hotmail, and Gmail) to reject email (p=reject) that may not be legitimately sent by Yahoo.
- Our DMARC policy proactively protects our users from email spam that mimics Yahoo's email addresses from other mail servers. This helps secure our users' email identities from being used by unauthorized senders, however, it can also interfere with some long-standing uses of identities that are authorized by the user but not verifiable.
- For more information, see our Sender Requirements & Recommendations, DMARC.org, DKIM.org, and OpenSPF.org.
What is SPF?
- SPF (Sender Policy Framework) is an email validation protocol designed to detect and block email that originates from outside the specific set of IP addresses that a domain has authorized.
- SPF records allow Yahoo to reject messages which originate from IPs not listed in the domain's SPF record.
- For details, please refer to the SPF site.
What is DKIM?
- DKIM (Domain Keys Identified Mail) is an email authentication standard. It uses a public/private encrypted key approach to authenticate the domain responsible for an email.
- DKIM lets senders digitally sign their emails sent to Yahoo mail accounts, associating the digital signature with the actual domain name of that organization.
- DKIM enables Yahoo to associate a message verifiably with a specific handler and ensure that it has not been changed since the signature was added.
- For more information, please refer to the DKIM site.
What DKIM key length does Yahoo require?
- We require a DKIM key length of 1024 bits or greater
- We recommend a 2048-bit key length for improved security, if possible
How are multiple DKIM signatures evaluated?
- Yahoo evaluates all DKIM signatures and uses the results to determine DMARC alignment, to calculate reputation, and ascertain CFL fulfillment.
- If a mail message has multiple DMARC-aligned signatures and they do not all pass, Yahoo does not guarantee that it will pass DMARC.
How does Yahoo determine a mailer's overall reputation?
- Yahoo considers many factors including, but not limited to:
- IP address reputation
- URL reputation
- Domain reputation
- Sender reputation
- ASN (Autonomous System Number) reputation
- DKIM (DomainKeys Identified Mail) signatures
- DMARC (Domain-based Message Authentication Reporting and Conformance) authentication
- Even if you have a reputable sending history, users can vote your email as spam and affect your overall reputation.
- So, if you want to get your emails to the inbox, our Sender Requirements & Recommendations recommends sending relevant content to the users who want it and have opted to receive it.
My domain reputation is good — but my message is in the spam folder. Why?
- Mail can be redirected to the Spam folder for various reasons. A combination of poor reputation and high complaints can cause mail to be directed to the Spam folder.
- We usually do not redirect mail to the Spam folder for poor reputation alone. It can be a combination of reputation with other poor mailing characteristics like:
- Obfuscation of URL's in body of mail
- IP's which do not have a FQDN in their rDNS
- Not RFC compliant
- We also recommend that you adhere to our Sender Requirements & Recommendations requirements for sending mail.
What actions can a sender take to improve delivery to Yahoo domains?
- Yahoo strongly urges senders to publish a DMARC policy for each domain that sends mail.
- Review our Sender Requirements & Recommendations and make changes where appropriate.
- Opt out users who have marked your email as spam in the past. Enroll in the Yahoo CFL program to get that information.
- Send different email content types via separate IPs and streams. If you start sending unsolicited commercial email using the same IPs as transactional email, your sending reputation can be impacted.
- Make sure your emails are DKIM signed. DKIM signature helps Yahoo authenticate that email is safe, secure and from the senders who claim to send it.
- Control your email traffic. If you send emails at a certain rate and suddenly have a spike of activity, you could get flagged as a compromised sender and marked as spam. Instead, plan your campaign and spread it out over a period of time.
- Check your email content. If the subject lines are not helpful or appear to be generic, users may not be interested and mark it as spam. When many users mark an email you send as spam, it can impact your overall deliverability.
- Publish reverse DNS (PTR) records for your sending IPs. Yahoo is more likely to downgrade an IP's sending reputation if there isn't a reverse DNS entry for your IP address. Not having a reverse DNS entry can cause your mailing IP to look like a dynamically-assigned IP instead of a static mail server.
How can I get my Email delivered to Yahoo inboxes?
- Yahoo advises senders to adhere to high-quality methods to improve deliverability. See our Sender Requirements & Recommendations.
- Yahoo understands email is a mission critical real-time service for all its users. No one wants to miss an email or have it delayed. We work very hard to ensure a high quality of service so the right mail reaches the right user at the right time.
- At the same time, we have to make sure our users are protected from unwanted email, especially spam, viruses and malware. To that end, we have a complex anti-spam filtering system that weeds out unwanted email before it reaches the inbox.
- There are several factors that determine which emails land in the inbox and which goes to spam. Even if Yahoo's systems are not filtering out the email, the user may have specifically blocked certain domains and email addresses. These user rules will override the determination by Yahoo's spam filtering system and still put the email in the spam folder. Again, this is entirely between the sender and user.
Can Yahoo whitelist my IPs?
- No. The term whitelisting tends to imply guaranteed inbox delivery. Yahoo does not have a whitelisting program.
- If you are having difficulty sending to us or have reason to anticipate difficulty (a large launch or a legal notification, for instance) you can notify us by submitting a Sender Support Request.
- Based on our review, we'll modify your reputation in our systems if needed. Keep in mind that still doesn't guarantee inbox delivery.
I just added IPs/domains to my account but they can't send. Why?
- If you're having difficulties sending to a Yahoo email address and are a new sender or have a new IP, fill out the Sender Support Request. Make sure to include the error and diagnostic codes in your logs.
- We'll review the info provided and will modify your reputation as needed.
- Keep in mind we cannot guarantee inbox delivery and you should always follow our Sender Requirements & Recommendations.
What is the maximum message size Yahoo accepts?
- Yahoo will accept an attachment up to approximately 25 megabytes but various factors may influence how large a document you can attach.
- This size limit cannot be configured by the member, nor adjusted by the Postmaster team.
How do I report abuse by Yahoo customers?
- If you receive content from any Yahoo domain that violates our Terms of Service, let us know right away.
- In many cases, you can report inappropriate content directly from our products by reporting the message as Spam.
- If a Yahoo mail account is sending you Spam, you can inform us via the Report Abuse form.
- When reporting junk, abusive or unwanted email from Yahoo members, please include the full text of the message along with the full header information. Lacking the header information, we cannot determine the actual source of the email.
I published a BIMI record but my logo is not displayed. Why?
- Yahoo will display your BIMI logo if:
- A BIMI record exists which points to a valid logo in SVG format
- A DMARC policy of quarantine or reject is in place
- The mailing is sent to large number of recipients (bulk mail)
- And we see sufficient reputation and engagement for the email address
- If you just updated your BIMI record, it can take time for the change to propagate across our systems. The best place to check is on the web, with a clear cache, at https://mail.yahoo.com/.
- If you think all of the requirements are met and you have checked via a new web session, but still no logo is displayed, please reach out to mail-questions@yahooinc.com and provide as much details as possible.