Long before commercial spam filters were available, ISP administrators and other uber-geeks created so-called “blacklists” of Internet Protocol (IP) addresses used to send spam. Individuals, ISPs and corporations would then set their email servers to reject any messages coming from these addresses. Once the spam merchants discovered their mail was being automatically rejected, they resorted to devious methods: spoofing, or imitating, legitimate email addresses by faking the return address in the message’s “From” field; rerouting email through so-called open relays that forward messages while obscuring where they originally came from; and hijacking other machines, so the spam looks like it came from somewhere else. In the dark underbelly of the Net, malware authors do a brisk trade in renting out their networks of zombie PCs—better known as botnets—to spammers.

So the first step in solving the spam problem is verifying that the message that says it came from "mom@yourisp.com" really did come from dear old mom and not some vile spammer living in a doublewide in Del Ray Beach, Florida. The process is called authentication—essentially Caller ID for your email. There are various ways to accomplish this, but the technologies with the most momentum behind them are Sender Policy Framework (SPF) and Yahoo DomainKeys.

With SPF, Internet service providers and corporations publish their IP addresses on their domain name servers. When mail arrives at your ISP, its servers ...