In its 2003 Project Lumos white paper, the ESPC outlined the path to curbing spam, phishing, and other abusive e-mail practices. In it, the plan was made to push for widespread adoption of authentication services by senders and receivers first, and then to layer on reputation and accreditation services after that.
In a report released today, the ESPC found that 16 of the top 18 ISPs in the U.S. was applying authentication to outgoing e-mails, and eight of those ISPs were also checking for inbound authenticated e-mail and applying some sort of filter to the mail as a result.
Yahoo, Microsoft and Google were found to be the most assertive in their use of authentication. Yahoo and its cable and telecom partners are verifying incoming messages and signing outgoing messages using the DomainKeys cryptographic method, filtering e-mail as a result, and notifying users of passing and failing results. Microsoft performs similar functions using SPF and Sender ID records.
Google, whose Gmail is much smaller than Yahoo mail or MSN's Hotmail, is going all-out and matching Yahoo's use of DomainKeys, and also publishing SPF records for outgoing messages. Among other notable ISPs, AOL is publishing SPF and Sender ID records on outgoing messages, but not yet doing anything with incoming messages. Earthlink is signing messages with DomainKeys. A few other ISPs on the list, like Verizon, Roadrunner and NetZero, are publishing SPF records.
The full report is available at the ESPC's site.