OK, so I’m stretching for a clever title there. But the good news is that Microsoft has now joined AOL, Earthlink, and other large email providers by publishing Sender Policy Framework records for all their e-mail addresses, and are using SPF validation to scrutinize inbound mail.
The company is strongly urging e-mail providers and Internet service providers (ISPs) to publish Sender Policy Framework (SPF) records that identify their e-mail servers in the domain name system (DNS) by mid-September. Microsoft will begin matching the source of inbound e-mail to the Internet Protocol (IP) addresses of e-mail servers listed in that sending domain’s SPF record by Oct. 1. Messages that fail the check will not be rejected, but will be further scrutinized and filtered, said Craig Spiezle, director of Microsoft’s Safety Technology and Strategy Group.
Basically it works like this: If I’m email@example.com and firstname.lastname@example.org sends me an email, the example.com server will receive a request from an aol.com server to send a message. The example.com server then checks to see if the contacting server is listed with an SPF record in the aol.com DNS. If it is, then I know the mail is really from AOL. If it’s not, then I know it’s a spoof. This doesn’t stop spam, but it at least makes servers truly accountable for spam, so the griping goes to the right place, and blacklists can be more accurate.