Allow a yahoo user to choose not to see what are self-evidently spam emails
This is written 9-Jan-2023 and based on the hard evidence from examining headers of spam emails that have arrived recently at my yahoo address.
It is crystal clear that yahoo is now checking the Authentication-Results values and using those to accurately route spam emails sent to me into my spam folder.
BRAVO and A VERY BIG THANK YOU.
The few spam emails that still arrive in my In-Box I can see have a Received-SP: value of pass. Tightening the logic by making Authentication-Results the overriding criterion whatever the Received-SPF value will solve that issue immediately.
From the significant volumes of 'good' emails being routed by yahoo to other users' spam folders it would appear that many senders have still not implemented Domain-based Message Authentication Reporting and Conformance. That is not anything that yahoo can do something about. The answer can only be yahoo users insisting that their 'good' senders comply with good practice and put in place what are now basic security safeguards.
Allowing a yahoo user the option on the Security and Privacy screen to no longer see emails that fail authentication would save a lot of time currently spent on blocking addresses and domains sending the spam. This would only require adding a single tick-box. Selecting this box would activate this logic (or something very similar):
Check 1:
IF ‘Received-SPF:’ = ‘none’ OR ‘error’ OR ‘fail’ THEN do not deliver the email but delete it instead
IF ‘Received-SPF:’ = any different value, then proceed to Check 2
Check 2:
IF in ‘Authentication-Results:’
Any mention of ‘dkim=’ ‘unknwn’ OR ‘perm_fail’ THEN do not deliver the email but delete it instead
IF ‘dkim=’ is any different value, then proceed to Check 3
Check 3:
IF in ‘Authentication-Results:’
‘dmarc=’ is ‘unknown header.’ OR ‘fail(p=NONE)’ OR ‘pass(p=REJECT)’ OR ‘pass(p=QUARANTINE)’ OR ‘pass(p=NONE’ THEN do not deliver the email but delete it instead
IF ‘dmarc=’ is any different value, then deliver the email to the In-Box and let the recipient decide whether to categorize it as spam.
I appreciate that this will might impact the yahoo internal statistics for email traffic delivered. However, that could also be resolved very simply by adding in a new delivery category of 'Delivery processed but email failed authentication'.
Activating this authentication logic does run the risk that some 'good' emails may never be delivered to me. However, I am entirely comfortable with assuming that risk and in the grand scheme I suspect that on balance a majority of other users will make the same choice..
What will be important is to ensure that the senders of these spam emails are never informed that delivery was made to a mass-delete temporary holding area, rather than to the intended recipient.