What organizations set global standards?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
SPF, DKIM, and DMARC didn't appear out of nowhere. Every one of those standards was written, debated, and published by a group of people who sat in rooms (and Zoom calls) arguing about how email should work. So who are those people?
The IETF (Internet Engineering Task Force) is the most important one to know. It's an open, volunteer-driven organization that publishes internet standards as RFCs (short for Request for Comments, which is a misleadingly modest name for documents that define how the whole internet runs). SPF, DKIM, DMARC, and the core SMTP protocol all started as IETF working group drafts before becoming RFCs that every mailbox provider in the world now implements.
M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) works differently. It doesn't publish formal internet standards. What it does instead is bring major mailbox providers, ESPs, and security companies into the same room to share data on abuse trends and agree on best practices. If you've ever wondered why the major players tend to respond to spam and phishing in similar ways, that coordination largely happens through M3AAWG.
A few other groups are worth knowing about, even if they don't write the technical specs. The DMA (Data and Marketing Association) in the UK and the ANA (Association of National Advertisers) in the US set marketing ethics guidelines. The EEC (Email Experience Council) focuses on practitioner education and industry knowledge. And national regulators like the FTC in the US and the ICO in the UK are the ones who actually enforce the legal layer (think CAN-SPAM and GDPR).
None of these organizations work alone. A new authentication standard typically starts as an IETF draft, gets pressure-tested in M3AAWG working groups, and eventually gets enforced by the mailbox providers who implement it. The February 2024 Google and Yahoo sender requirements are a good example: they weren't invented by a standards body, but they were built on top of IETF-published standards that had existed for years.
If you want to go deeper on where any specific email standard came from, check the RFC number. It tells you exactly which working group wrote it and when.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.