Yahoo's Feedback Loop and DKIM


Yahoo's feedback loop is different from others in that you register DKIM keys, or DomainKeys, rather than IP addresses. Yahoo will then forward spam complaint for emails signed with the DKIM keys that have been registered to the email address that you designate.

This page discusses the topic of DKIM, and how it relates to Yahoo's feedback loop in detail. If you'd like a more broad overview of Yahoo's feedback loop, including information on how to apply, then please refer to the Yahoo Feedback Loop page.

DKIM and DomainKeys

In order to sign up for Yahoo's feedback loop, you have to sign emails with DKIM.

DKIM (DomainKeys Identified Mail) is an email validation system which allows email senders to cryptographically sign messages, and email receivers to verify those cryptographic signatures. This involves a few steps:

  1. The sender generates a public/private key pair. The contents of the private DKIM key are kept secret, while the public DKIM key gets posted to a DNS TXT record.
  2. The sender digitally signs each messages that it sends using the private DKIM key, and inserts the signature into the email's senders. Here's an example DKIM signature:

    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill;;
     h=From:Subject:Message-Id:To:Date:MIME-Version:Content-Type; [email protected];

  3. When the receiver receives a DKIM signed email, they lookup the DNS record which holds the public DKIM key, and use it to validate that the email was signed using that DKIM key.
  4. The receiver may use the results of the DKIM authentication in a number of different ways. Here are some examples:
    • Emails with valid DKIM signatures from domains which have established a positive sender reputation may have better odds of going to the Inbox instead of the Spam folder.
    • Yahoo's feedback loop requires DKIM. If you're signing your emails using DKIM, and a Yahoo subscriber marks it as spam, you can find out about the spam complaint via Yahoo's feedback loop. If you aren't signing your emails using DKIM, then this information isn't available to you.
    • Gmail does not have a traditional feedback loop, but if you sign your messages using a 1024-bit or longer DKIM key, and include a List-Unsubscribe header, then Gmail makes an extra unsubscribe option appear which reduces the risk of actual spam complaints being generated. They'll also notify you about those complaints which still do occur via the List-Unsubscribe header.

Each DKIM key is uniquely identified by the combination of its domain, and it's selector. There may be many DKIM keys for a single domain name, and many DKIM keys that use the same selector, but only one valid DKIM key can exist for each unique domain name / selector combination. This is because each domain / selector combination has its own DNS TXT record, where the public key is stored.

Technically speaking, an email can be signed using any DKIM key, even if that DKIM key's domain appears nowhere else in the message. All other things being equal, it's preferable to sign the message using a DKIM that's at the same domain as the From address.