We have begun testing several technologies to provide a more secure email identity. These technologies secure the domain portion of the email address. This along with the use of several best practices must be implemented in parallel to help secure the sender identity.

Many organizations employ filtering technology. Others use publicly available information about potential sources of spam. Still others construct elaborate rules that determine which senders are allowed to connect or deliver mail to their networks and which are blocked.

Over time their effectiveness degrades due to increasing innovative spammer tactics. The burden to keep up with these new tactics falls to ISPs, Mailbox Providers, enterprises and consumers. Also, these approaches fail to address the root of the problems: first, sending junk email is profitable for spammers; and second, email messages today do not contain enough reliable information to enable recipients to decide if messages are legitimate.

First, the introduction of programs to better establish sender identity and encourage the development of trust or reputation systems may involve privacy and legal issues. We remain sensitive to these issues and seek to emphasize technologies and approaches that allow for freedom of expression to continue. Second, it is important to note that some of the ideas or approaches have already been put forth and recommended by others in the community. We believe some of these ideas have not been implemented due to two primary reasons: One, the approaches require critical mass of mailbox providers to drive standards adoption. Two, There is no single, simple solution that will serve the requirements of the global internet population.

Simply put, all abusive traffic emanating from an ISP on port 25 is the responsibility of that ISP to control. If the ISP does not reasonably control abusive traffic, it is at risk of being blocked by other ISPs. This policy applies equally to network and backbone providers and their downstream customers.

We recommend the following best practices: close all open relays, monitor formmail.pl and other CGI applications, configure proxies for internal network use only, detect and quarantine compromised computers, implement authenticated email submission, remove remote access to CPE, implement rate limits on outbound email traffic, control automated registration of accounts, close web-based redirector services susceptible to abuse, develop complaint reporting systems and subscribe to existing systems. More details about these procedures can be found in the document.

Do not harvest email addresses, always provide easy and quick opt-out options, do not send email using invalid or forged headers or domain names, do not hide or obscure information about the true origin, do not use third-party equipment or names without permission, do not include false or misleading subject or content, monitor SMTP responses, consider working with an email accreditation company, and use different IPs based on the type of mail or customer.

Many users today have not activated available options in their computer software that can protect them from spammers and hackers. Consumers should learn about these features and ensure that they are using the right level of protection for their needs. Consumers should also install firewalls on their PCs and use up-to-date anti-virus software along with other screening tools.

There are two different approaches to help with this problem. First, an IP based solution, domain owners can publicly publish the IP addresses of the mail servers authorized to send mail on behalf of their domains. This allows the receiver of the mail to validate the domain information in the headers of the incoming message. Second, a Content Signing (CS) approach, CS systems use public key/private key pairs to generate signatures that are used for sender verification.