Resources / Standards & implementations
The email standards that are not RFCs.
Much of how spam is actually fought, and how senders are actually judged, lives outside the RFCs: filtering engines, collaborative networks, blocklists, brand-logo programs, provider rules, research corpora, and the law. Here are 45 of them, each linked to its primary source.
This complements the RFC library. The RFCs define the protocol surfaces; the items below are the implementations, operators, and policies built on top. Where we have a deep reference of our own, that is the primary link and the official external source is marked with an arrow (↗); where we don't, the name links straight to the official site. 44 of 45 official links were verified to resolve at build time.
The categories at a glance
Filtering engines
-
Implementation / open-source · Apache Software Foundation
Long-established open-source mail filter that scores messages with a rule framework plus Bayesian, DNSBL, and collaborative-filtering plugins. Its default 5.0 spam threshold and X-Spam-* headers are a de facto reference, but it is not defined by any RFC.
-
Implementation / open-source · Rspamd project
High-performance C-and-Lua spam filtering system that sits between the MTA and the internet, combining authentication checks, RBLs, fuzzy hashing, statistics, and neural networks into a single cumulative score and action. Apache-2.0 licensed; documentation at docs.rspamd.com.
Collaborative / checksum filtering
-
Implementation / collaborative network · Rhyolite Software (Vernon Schryver)
A network of servers that count fuzzy checksums of messages so receivers can detect bulk mail; it measures bulkiness, not spam, and relies on local whitelists for wanted bulk. The license requires managed-service operators to run their own DCC servers rather than use the public ones.
-
Implementation / open-source · Pyzor project (SpamExperts)
A GPL collaborative, networked spam-detection system that uses short message digests; clients can query a digest's report count, report a message as spam, or whitelist it as not-spam. A public server runs at public.pyzor.org:24441.
-
Implementation / collaborative network · Vipul Ved Prakash; network operated by Cloudmark
A distributed, collaborative spam-signature network that returns a 0-100 confidence per message part, integrated into SpamAssassin via the Razor2 plugin. The open-source client code has not been updated since 2013, but the underlying network is still operated by Cloudmark.
Sender identity (non-RFC)
-
Specification / industry group · BIMI Group / AuthIndicators Working Group
Industry working group that maintains the Brand Indicators for Message Identification (BIMI) specification and implementation guide. BIMI displays a brand logo next to mail that passes DMARC at enforcement; it authenticates nothing itself and is not (yet) an RFC.
-
Certificate authority program · DigiCert
DigiCert is a Mark Verifying Authority issuing VMCs (for registered trademarks, enabling Gmail's blue checkmark) and Common Mark Certificates (CMCs). A VMC/CMC is what most mailbox providers require before they will display a BIMI logo.
-
Certificate authority program · Sectigo
Sectigo issues VMCs and CMCs for BIMI logo display. It is the official successor for VMCs after Entrust ended issuance of its public VMC/S-MIME certificates on 12 May 2025 and migrated that business to Sectigo, so Entrust's former VMC program pages no longer apply.
-
Specification / reference implementation · Shevek (libsrs2); concept by Meng Weng Wong
A convention for rewriting the envelope return-path when mail is forwarded so it keeps passing SPF at the forwarder's domain, while remaining reversible for bounces. It was never standardized as an RFC; the reference implementations are Mail::SRS (Perl) and libsrs2 (C).
Blocklist & reputation operators
-
Blocklist operator (DNSBL) · Barracuda Networks
A free IP-based DNS blocklist (b.barracudacentral.org) published by Barracuda Central; the list, lookup, and delisting/registration pages live under barracudacentral.org/rbl. Use requires free registration of the querying IP.
-
Blocklist operator (DNSBL, commercial) · Invaluement
A commercial anti-spam DNSBL family (ivmSIP, ivmSIP/24 for sender IPs and ivmURI for domains) designed to catch elusive snowshoe and low-volume spam that larger lists miss, with a focus on very low false positives.
- SORBS (discontinued) → discontinued
Blocklist operator (DNSBL) - discontinued · formerly Proofpoint / GFI
SORBS was a long-running DNSBL family that has been discontinued - its operator (Proofpoint) retired the service in mid-2024 and the zones no longer return useful data. Senders should not query or rely on SORBS, and may safely ignore historical SORBS listings.
-
Blocklist operator (DNSBL) / reporting service · Cisco Systems
A spam-reporting service and DNS blocking list (bl.spamcop.net) built from user reports and spam traps; listings are time-limited and expire as reports stop. Now operated by Cisco.
-
Blocklist operator (DNSBL) · The Spamhaus Project
The most widely used DNS blocklist operator, publishing IP lists (SBL, CSS, XBL, PBL, combined as ZEN) and the domain list (DBL). Removals are always free and handled at check.spamhaus.org.
-
URI blocklist operator · SURBL
A URI/domain reputation service that lists domains of malicious or abused sites found in message bodies, complementing sender-IP blocklists. Operating since 2004; offered via DNS, RPZ, API, and rsync feeds.
-
URI blocklist operator · URIBL.com
A realtime URI blocklist that lists domains appearing in spam message bodies (black, grey, red, white, and combined multi zones). URIBL explicitly tags rather than blocks; the blocking decision is left to the operator.
Mailbox provider sender rules
-
Provider sender requirements · Apple
Apple's official bulk-sender requirements for iCloud Mail: explicit opt-in only, SPF/DKIM/DMARC, ARC on forwarded mail, reverse DNS, and stream separation. Apple offers no feedback loop, allow list, or postmaster dashboard - the only contact is icloudadmin@apple.com.
-
Provider sender requirements · Comcast (Xfinity)
Comcast's postmaster site documents sending guidelines, error/block codes, and feedback-loop and delisting procedures for the comcast.net consumer mailbox domain.
-
Provider sender requirements · Fastmail
Fastmail's official guidance for operators sending to Fastmail: correct HELO/EHLO matching forward and reverse DNS, valid authentication, and why not to use Sender Address Verification. Fastmail is a mailbox provider, not a bulk-sending service.
-
Provider sender requirements · Google
Google's official Email sender guidelines for delivery to personal Gmail accounts: SPF/DKIM, valid PTR, TLS, RFC 5322 formatting, a spam-rate ceiling, and (for 5,000+/day bulk senders) DMARC and RFC 8058 one-click unsubscribe. Monitored via Google Postmaster Tools.
-
Provider sender requirements · United Internet (GMX / WEB.DE / 1&1 Mail & Media)
Postmaster pages for the large German freemail providers GMX and WEB.DE, covering deliverability, contact, sender features, and phishing protection. The companion WEB.DE site is at postmaster.web.de.
-
Provider sender requirements · Microsoft
Microsoft's Outlook.com postmaster site covers sender policies for the consumer hotmail.com/live.com/outlook.com domains, including the May 2025 SPF/DKIM/DMARC enforcement for senders over 5,000/day, plus the SNDS data service and JMRP feedback loop.
-
Provider sender requirements · Proton AG
Proton's official guidance for configuring a custom domain on Proton Mail, including the required MX, SPF, DKIM, and DMARC records (Proton recommends p=quarantine) to authenticate mail and protect against spoofing. Proton publishes no public sender reputation dashboard or feedback loop.
-
Provider sender requirements · Yahoo Inc.
Yahoo's official sender portal and best-practices/requirements for Yahoo Mail and AOL: SPF or DKIM, DMARC for bulk senders, a spam rate below 0.3%, and one-click unsubscribe honored within two days. Also the home of Yahoo's DKIM-based Complaint Feedback Loop.
Industry bodies & best practices
-
Certification program / allowlist · Certified Senders Alliance (eco / DDV)
An email certification program and quality allowlist: senders that meet CSA's technical and legal admission criteria are placed on the CSA Certified IP List that participating mailbox providers (notably in the DACH region) trust. Membership and rules are the standard, not an RFC.
-
IANA registry · IANA
The registry of methods, result names, and property types used in Authentication-Results header fields (spf, dkim, dmarc, arc, dnswl, iprev, and more) - the canonical vocabulary for reporting authentication outcomes.
-
IANA registry · IANA
The authoritative registry of IMAP capability names (IDLE, CONDSTORE, MOVE, SPECIAL-USE, OBJECTID, and many more) and their defining RFCs - what a mailbox-access server can advertise in its CAPABILITY response.
-
IANA registry · IANA
The registry of JMAP (JSON Meta Application Protocol) capabilities, error codes, and data types - the modern JSON-over-HTTP alternative to IMAP for mailbox access, including the mail and submission capabilities.
-
IANA registry · IANA
The authoritative registry of permanent and provisional email (and netnews/MIME) header field names and their defining references - the canonical place to check whether a header like List-Unsubscribe-Post or Authentication-Results is registered and standard.
-
IANA registry · IANA
The registry of capabilities, actions, and URN parameters for the Sieve mail-filtering language (fileinto, vacation, imap4flags, spamtest, and more) - the canonical list of standardized Sieve extensions.
-
IANA registry · IANA
The registry of SMTP service extensions (EHLO keywords) such as STARTTLS, SIZE, PIPELINING, DSN, AUTH, SMTPUTF8, and REQUIRETLS, plus Received-header VIA/WITH types - the canonical list of what a mail server can advertise.
-
Standards body · Internet Engineering Task Force
The standards body that develops and publishes the RFCs underpinning email (SMTP, IMF, SPF, DKIM, DMARC, ARC, and more). Included here as the authoritative home and Datatracker for the standards the rest of this index complements.
-
Industry body / best-practice publisher · Messaging, Malware and Mobile Anti-Abuse Working Group
The leading industry forum for messaging anti-abuse, publishing widely cited best-common-practice documents (Sender BCP, spam-trap guidance, mandated-email guidance, TLS for Mail) that function as de facto standards alongside the RFCs.
Research & evaluation
-
Research / academic conference (archival) · CEAS
The academic conference (2004-2008) that produced foundational anti-spam and email research, including the CEAS 2008 Live Challenge spam-filter evaluation. The site is now an archival frames stub; the conference is no longer active, but its papers remain widely cited.
-
Research corpus · Carnegie Mellon University (CALO Project)
About 500,000 real messages from ~150 Enron employees, made public via the FERC investigation. It is a ham (legitimate mail) corpus with no spam labels, commonly mixed with a separate spam corpus to build balanced spam-detection and NLP datasets.
-
Research / foundational essay · Paul Graham
The 2002 essay that popularized statistical (Bayesian) spam filtering and triggered the wave of Bayesian filters in mail systems. Foundational, widely cited, and not an RFC.
-
Research / foundational essay · Paul Graham
The 2003 follow-up to "A Plan for Spam" refining the token-probability approach (token degeneration, handling of headers, and bias toward avoiding false positives). A key reference for how practical Bayesian mail filters were tuned.
-
Research corpus · Apache SpamAssassin project
A frozen, publicly distributed labelled corpus (~6,000 messages, ~31% spam, split into easy_ham, hard_ham, and spam subsets) for offline filter development. The readme warns against live-testing it or relying on networked blocklists/checksums, since the messages may already have been reported.
-
Research / evaluation framework · NIST (Text REtrieval Conference)
NIST's standardized spam-filter evaluation track (2005-2007) that defined the chronological, one-at-a-time evaluation methodology and metrics (1-ROCA%, ham/spam misclassification, lam%) still referenced in filter research, along with public and private corpora.
Legal & regulatory
-
Regulator guidance / statute · Australian Communications and Media Authority
Australia's Spam Act 2003 is an opt-in regime (express or inferred consent) requiring accurate sender identification and a working unsubscribe honored within 5 working days, and it prohibits address-harvesting. The live ACMA page blocks automated fetching but the URL is current and was content-verified via archive.
-
Regulator guidance / statute · Government of Canada (ISED / CRTC)
Canada's express opt-in regime for commercial electronic messages (implied consent only for defined business relationships), requiring sender identification and an unsubscribe honored within 10 business days. Enforced by the CRTC with penalties up to CAD $10M per violation.
-
Regulator guidance / statute · European Commission
EU email marketing rests on the ePrivacy Directive (2002/58/EC, Art. 13 opt-in for individuals) read with the GDPR (Regulation 2016/679), including the right to object to direct marketing and notification duties when reusing third-party data. Enforced by national DPAs.
-
Regulator / statute · KVKK Board / Ministry of Trade (Turkey)
Turkey regulates commercial electronic messages under ETK Law No. 6563 (opt-in for consumers, opt-out for merchants/traders, opt-outs honored within 3 business days via the central IYS consent registry), layered with the KVKK personal-data law (Law No. 6698). The KVKK site is the regulator home; substantive ETK detail comes from the official law text.
-
Regulator guidance / statute · UK Information Commissioner's Office
The ICO's guidance on electronic mail marketing under PECR (read with UK GDPR): opt-in consent for individuals, a soft opt-in for existing customers, and a duty to identify the sender and honor opt-outs. Corporate-body recipients may be emailed without prior consent.
-
Regulator guidance / statute · US Federal Trade Commission
The FTC's official compliance guide to the CAN-SPAM Act: an opt-out regime (no prior consent required) requiring accurate headers, a physical postal address, clear opt-out honored within 10 business days, and per-email civil penalties. Covers B2B with no exemption.
Drafts to watch
Internet-Drafts, not RFCs yet. They are not standards and may change or expire, but they signal where email is heading. We track them so the library stays current the moment they are published.
- draft-ietf-emailcore-rfc5321bis
SMTP revision work
- draft-ietf-emailcore-rfc5322bis
Message format revision
- draft-ietf-jmap-calendars
JMAP Calendars
- draft-ietf-mailmaint-expires
Expires header
- draft-ietf-mailmaint-wrong-recipient
Wrong-Recipient header
- draft-ietf-mailmaint-imap-uidbatches
IMAP UIDBATCHES
- draft-murchison-sieve-regex
Sieve regex
Need someone who actually tracks all this?
The RFCs, the filters, the blocklists, the provider rules, the law. Keeping up with it is our job, not yours. Tell us what you send.