SMTP / DMARC / Webpage


Website mailto: form started bouncing emails from Yahoo.

Web hosting company says this is “DMARC” policy controlled by Yahoo, also in place for a few other big domains / They say that “yahoo won’t send” because web page is not a yahoo server, but this seems wrongheaded idea about how SMTP actually works.

I say SMTP is between their web server and their mail server and it is their web server doing some kind of DMARC checking and they probably could have a white list of IP’s or other recognition that the sending server is THEIR OWN.

Work around was to hardcode the sending address to be same as receiving address which is not as handy, and make the email address that used to be the sender just be text data on the form.

So how is correct - tech support at web hosting company or me?

And if they had a clue about mail server configuration, could they white list their web server(s) in some way and keep the traditional mailto: functionality despite DMARC being implemented with “reject” by some domains?

All the big webmail providers moved to this system a few years back in an effort to cut down spam and unauthenticated fake emails.

Basically, the easy old days of being able to send an email as whoever by just changing the from: field are coming to an end. Nowadays most bulk/third-party senders would set the from address to something like “ via” ( and then use the reply-to field to set “ This is the way the webmail companies want you to do it.

If you use G Suite (google’s enterprise email etc service) you can add additional hosts to your whitelist like you wanted to, but I would assume free consumer products from them and Yahoo don’t offer this level of customization. Edit: Actually, it’s been months since I tinkered with that particular setting. I am not sure that a whitelist will fix this particular problem. I think you can publish a more lenient policy that does allow sender masquerading, but then I think recipient servers will increase your spam score due to that lenient policy, so it’s probably not the best idea anyway.
The alternative is to actually log in as that user (via SMTP) to Yahoo and to actually send as that person through Yahoo, not just pretend to be them by setting the From: field.** PHPMailer has support for authenticated SMTP built in, you just have to configure it to use that instead of the local mail daemon.

You can also use a transactional email service like Mandrill or SendGrid (again using a legitimate, real or address that forwards to your email, and also a reply-to address that goes straight to you.)

No. well not only.
Their web server probably does use SMTP to get the mail to their email server.
Then their email server SMTP’s it onto another … until it gets to yahoo.
If someone along the way respects the yahoo DMARC setting, then it rejects the email.
Your “work around” just prevents you getting the bounce back, it doesn’t help get the mail through.

The work around sends the web form data from a non-DMARC email address to a receiving address so it does get the data there.

My question is whether a mail server can be configured to allow emails from a DMARC domain by not doing the DMARC check for certain servers.

Isn’t the communication SMTP from a web server to my domain’s mail server with Yahoo not involved in the SMTP dialog, except as the receiving mail server elects to do a verification by communicating with yahoo?

Yes, but Yahoo is not going to do that for your random website.

What your webhost meant is that Yahoo is not going to allow your website to pretend to be one of its email servers. It has nothing to do with SMTP. It’ll get delivered to Yahoo just fine, at which point Yahoo will look at the headers, realize that the from: address is pretending to be Yahoo, check its own DMARC policy, and reject your email because your host is not one of Yahoo’s allowed senders.

(Or if you’re sending from a yahoo address to another recipient domain, they’ll check Yahoo’s policy, still realize that your server/domain isn’t on Yahoo’s allowed sender list, and reject it.)

Your domain can be whitelisted either from Yahoo’s side or from your recipient domain’s side. Or you can run your own email domain separate from and set your own DMARC policy.

The mailto is not going to a yahoo address from the web page. It just happens to be FROM a yahoo address.

My point is that the receiving email server (which is hosted by the web host company) is enforcing DMARC and bouncing the yahoo emails because (of course) the mail is from a server that really isn’t a Yahoo mail server.

They don’t have to do things that way, they could have exception to DMARC on the mail server that would allow MailTo: pages which are mailing to email accounts they host send FROM any email address a user types in.

If there are other reasons not to do this, I’d be willing to hear from the web services company why it is ill-advised or impractical or whatever (I suspect the real reason is they don’t actually administer the mail server and they are not the true hosts of our web server and mail server). What I think is misleading is their explanation that implies that the email from the web server to our domain’s email server is somehow routed through Yahoo and Yahoo is doing the bounce. Yahoo’s policies are causing the bounce because our domain’s email server is enforcing DMARC. That is different, unless my understanding of SMTP is wrong headed.

You’re asking the recipient server to ignore yahoo’s dmarc policy for your convenience. That’s not in their interest. That means any of a billion spammers can flood them with fake yahoo emails without an actual account. Why would they want that just to make your life easier?

Sent from my Nexus 6P using Tapatalk

My point was the web hosting company was pretending that it was a yahoo email server bouncing the messages, not their own server. I wanted some confirmation that SMTP still works the way it used to and tech support at web company was blowing some smoke.

The reason they might want to allow spoofing from their own web servers is that this would preserve more convenient mailto: functionality for their customers. Any spam would come to my inbox.

It’s not like I was asking for open relay on the mail server.

I’d have been happy with an answer about why they need to enforce DMARC for all email from anywhere. I suspect the answer is really “because we don’t administer our own mail servers, we have an upstream company that does that”.

I mean, technically it’s both. Their server is well behaved and is asking the Yahoo mail server to validate the incoming mail as authentic, and Yahoo is telling them it’s not. They are right that it’s a dmarc issue and really has nothing to do with smtp any more than has to do with pop3. Smtp is getting it routed to their mail server just fine, and then a separate server to server check is causing the message to bounce back after the routing. By the time dmarc takes effect, smtp has already done its job and is entirely out of the picture.

Smtp still works the way it’s used to, but dmarc evolved to supplement it to prevent exactly what you’re trying to do.

You’re asking your host to go against industry standard best practices and ignore yahoo’s dmarc policy? They may be able to do that for just your email server if you’re paying for a dedicated one, but if you’re just sharing email with a bunch of other customers that may not be possible. It’s not quite an open relay but opens up their customers to a whole lot of spam pretending to be from yahoo.

Sent from my Nexus 6P using Tapatalk

'm not following the OP’s underlying problem or goal. Websites send mail all the time. Why is this difficult?

Said another way, why has the OP chosen this particular method, that won’t work, when lots of other websites don’t have any problems because they use a different method or configuration or from policy or something.

I get the feeling that we’re being asked to debug a problem occurring process between steps 4 and 5 when the real remedy is to stop doing something silly on a step 2 we know nothing about.
So backing up to first principles, please Mr. OP: tell us what business process you’re trying to achieve, and what all the steps are. Don’t just jump to “I want to send an email that purports to be from yahoo from a non-yahoo server.”