• Whitelisted addresses pass through always.
• Blacklisted addresses are denied always.
• "Tagged e-mail" means specific senders can send to the particular mailbox.
• Unrecognized addresses are sent a challenge they must reply to in some way to become allowed.

Problems

• Forged addresses means uninvolved persons get sent challenge messages.
• Automated services like mailing lists and invoice systems trigger challenges.

Recommendations

• Don't send challenges if the spam filter is reasonably certain this is not spam.
• Use Auto-Submitted headers. TODO what?
• Use In-Reply-to header and point to original message-id (aka. make the challenge a reply to the original message.)
• Don't challenge replies to your messages.
• Don't challenge mailing lists and automated services.
• Have "unfiltered" addresses that can be contacted directly but are not punished.
• Don't trigger e-mail loops.
• Check the list of blocked messages now and again.
• Automate whitelisting people (ex. mailing lists, people you initiated contact with.)
• Don't challenge mail with attachments?

• Source for Templeton's recommendations

Wikipedia also suggests other methods such as checking DKIM signatures to ensure the From address is not forged to begin with.

Etiquette

• People don't like having bots e-mail them when they believe they were invited to comment
• For example if you send an e-mail first, make sure they are whitelisted (or at least that replies to your messages are) so you do not say hello, they reply, but then get asked to authenticate after you initiated

Tools

• TDMA