Will AI-authenticated communication become mandatory?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

We already have something close to mandatory authentication in email. In early 2024, Google Workspace and Yahoo Mail started requiring bulk senders to have SPF, DKIM, and DMARC set up before their emails would be delivered. Not a suggestion. A hard requirement. That's a meaningful precedent.

So when people ask whether AI-authenticated communication will become mandatory, the better question is: what has to happen first?

Right now, "AI authentication" mostly means AI-assisted filtering. Mailbox providers use machine learning to decide if a message looks legitimate, but that's pattern matching at the receiving end. True AI-authenticated communication would mean the sending side cryptographically proves identity and content integrity in a way AI can verify end-to-end, before delivery. That's a much bigger technical lift than adding a DMARC record.

The pieces that would need to fall into place:

  • Standardization. Cryptographic identity systems like decentralized identifiers (DIDs) are being explored, but there's no agreed-upon email standard yet. SPF and DKIM took years to get widespread adoption even after IETF published them.
  • Regulatory push. The EU's AI Act and various anti-phishing regulations are moving in this direction, but mandating a specific technical mechanism across all email infrastructure globally is a different thing entirely.
  • Mailbox provider enforcement. The Google and Yahoo 2024 requirements showed that when large mailbox providers act together, adoption happens fast. That's actually the most realistic path, not legislation.
  • Deepfake pressure. As deepfake-generated email content becomes harder to detect by eye, demand for proof-of-origin authentication will grow. That's the most likely forcing function.

Could it become mandatory? Yes, in the same way DMARC became effectively mandatory for bulk senders: not through a single global law, but through enough major providers making it a condition of delivery. Universal adoption across every email system on earth is still a long way off (and honestly, legacy infrastructure will resist it for decades).

The practical takeaway for senders today: make sure your SPF, DKIM, and DMARC are solid. Whatever comes next will build on those foundations, not replace them.

Not sure your current authentication is in order? You can check with our free DMARC generator or SPF checker, or just ask us if something's broken ;)

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map out what's coming for email authentication

Based on my sending setup, help me understand where AI-authenticated email communication is heading and what I should be doing now to stay ahead. Here's my current situation: - My email type (newsletters, transactional, etc.): type - My current authentication setup (SPF, DKIM, DMARC): status - My ESP or sending platform: name - My biggest concern about future requirements: concern Give me a ranked list of: (1) what's most likely to become required in the next 3 years, (2) what I should be doing now to prepare, and (3) any risks I might be ignoring.

Edit the yellow boxes, then send to the AI of your choice.