Well, what do you know?

I don’t know if they have been doing them all along and have only finally decided to expose the result, but I logged into my Yahoo mail the other day and checked out the message headers of a mail in my inbox.  I was surprised to discover that Yahoo is now exposing the Received-SPF flag indicating whether the inbound message passed or failed a standard SPF check.

To be sure, Yahoo still doesn’t publish SPF records, but at least now I can confirm that they are verifying SPF on the inbound.  Gmail exposes this header, and Hotmail exposes the SenderID check in clear text as well (via the X-SID-Result header).  This is useful for downstream users/MTAs that want to take action on a trusted sender and require authentication to make it occur.  DKIM is a stronger mechanism than SPF or SenderID, but SPF is by far the most commonly used protocol for doing authentication.