Note that this is about the use case 'authenticating whether the given mail server is authorized to send mail for the given domain', not the use cases 'authenticating whether the given user of this mailbox actually sent this email' or 'authenticating whether the given message is spam or not', which is probably the reason you clicked on this article :).
The former use case is pretty much solved (in that you can safely ignore email from servers/domains that don't follow best practices), the latter (combining the 2, since they're pretty similar, really) is not, even given recent advances in AI (OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine).
> OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine.
Sometimes an e-mail message itself does not even contain enough information to accurately classify it as spam or phish.
To a degree, spam is subjective. And classifying a phish may not be trivial at all (e.g. message may include legit marketing links, open redirects and server side logic to serve certain pages only to targets, etc.).
Thank you for that comment, I don't think it's something many people really understood. The same is true for phishing websites. So much depends on the context and incomplete background information. Is a website that asks you to put in your username and password bad? Well, it depends on what the website does with that information in the background. I've seen very suspicious websites asking for user information which were, in the end, just sites set up by marketing departments of the larger company who were unaware of the dangerous precedent they were setting.
Yup, when I order something I get really annoyed that I get an email for every fart that the delivery driver lets out. I'll hear the doorbell, I don't need 500 anticipatory emails. It's not a scam, not a phish, and it's 100% factual and "informative". But still junk.
It isn't spam though (being a part of a real commercial relationship, and having a working unsubscribe link), and marking it as such poisons your spam filter.
To further emphasize the point that a mail server being authorized often isn't worth much, or can be counterproductive even: shocking numbers of SMTP providers don't verify anything beyond the login. As a result, each and every one who manages to get an account can send legitimate looking messages for whatever domain allowing that host, e.g. another tenant. Microsoft and Google do perform sender address checks, as well as TransIP that I know of. Apart from them, though...
For reference: in Postfix this can be configured with smtpd_sender_restrictions.
The former use case is pretty much solved (in that you can safely ignore email from servers/domains that don't follow best practices), the latter (combining the 2, since they're pretty similar, really) is not, even given recent advances in AI (OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine).