Where did DMARC come from?

Return Path's Sam Masiello explains: "The genesis of DMARC was actually a private partnership between PayPal and Yahoo! and Google. They worked together in 20007 and 2008, respectively, to create a communication channel that would allow Google and Yahoo! to block all email purporting to be from a PayPal domain. It had a huge positive impact. At one point they were blocking, on average, 200,000 phishing messages a day."

DMARC takes these private agreements to the next level, creating a "scalable communication channel between every sender and every receiver and has the power to substantially reduce the damage of phishing."

DMARC appears easy to implement. It's not risk free, though. It can be used to instruct receivers to block or bulk email messages that fail or lack authentication, so a sender needs to be careful to ensure that all mail is properly authenticated. And be prepared for the oddball edge cases where authentication might fail unexpectedly.

The nerds in the crowd might recognize this as sort of a second try at ADSP, a DKIM authentication add on that was intended to accomplish something similar.

Update: Commenter Robert Mathews provided this link with an explanation of what makes DMARC different than ADSP. Thanks, Robert!


  1. Good point. Why did ADSP fail? It seemed to have the right goals and a bunch of people on the bandwagon.

  2. Appendix C of the DMARC draft talks about why DMARC is intentionally different from ADSP:



Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.