AOL is apparently implementing SPF, or Sender Permitted From, an emerging authentication protocol for preventing e-mail forgeries, or spoofing, at least on a trial basis. It’s puzzling that it has taken so long for this sort of thing to show up – it seems like authenticating the originating server against the sender address in an email should have been a basic characteristic of email from the start, but then again maybe not. Certainly there are good uses for “spoofed” email addresses (we have supporting servers that process transactions and send out confirmation emails, with the sender masqerading as one of our other servers on a different ISP). Without being able to link the originating mail servers somehow, these sorts of benign, utilitarian tricks will be harder to do without additional configuration at the DNS. That’s still probably a lot easier than dealing with all of the spam that we do on a day to day basis.

The article says that one downside of SPF is that some spammer’s use hijacked computers to send out their garbage, and that SPF will validate the sender and deem it okay. While this is true, I’m sure the most spam is not being sent in this way today. SPF might force spammers to start using the hijacking technique more (which would make it the next target for a technical solution), but this type of measure should at least reduce the amount of spam that gets delivered, regardless of how much is sent.

I’ll be interested in seeing the results of the trial.