Sender Policy Framework

Do you manage the mail server for your organization and are you constantly asked questions about emails that appear to originate from authentic members of your org praising the benefits of Viagra?  If so,

the professional reputation of your company is eroding.  So what are you to do?  Remove any reference to company emails on your website?  That's a start, but may not be the best solution if the corporate culture requires this transparency.

May I suggest SPF or Sender Policy Framework, an open standard specifying a technical method to prevent sender address forgery.  More precisely, the current version of SPF -- called SPFv1 or SPF Classic -- protects the envelope sender address, which is used for the delivery of messages.

Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain.  The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy.  If, e.g., the message comes from an unknown server, it can be considered a fake.

Once you are confident about the authenticity of the sender address, you can finally "take it for real" and attach reputation to it.  While IP-address-based reputation systems like Spamhaus or SpamCop have prevailed so far, reputation will increasingly be based on domains and even individual e-mail addresses in the future, too.  Furthermore, additional kinds of policies are planned for a future version of SPF, such as asserting that all of a domain's outgoing mail is S/MIME or PGP signed.

Go to http://www.openspf.org for more information and read carefully before deploying.