Will AI-authenticated communication become mandatory?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
We already have something close to mandatory authentication in email. In early 2024, Google Workspace and Yahoo Mail started requiring bulk senders to have SPF, DKIM, and DMARC set up before their emails would be delivered. Not a suggestion. A hard requirement. That's a meaningful precedent.
So when people ask whether AI-authenticated communication will become mandatory, the better question is: what has to happen first?
Right now, "AI authentication" mostly means AI-assisted filtering. Mailbox providers use machine learning to decide if a message looks legitimate, but that's pattern matching at the receiving end. True AI-authenticated communication would mean the sending side cryptographically proves identity and content integrity in a way AI can verify end-to-end, before delivery. That's a much bigger technical lift than adding a DMARC record.
The pieces that would need to fall into place:
- Standardization. Cryptographic identity systems like decentralized identifiers (DIDs) are being explored, but there's no agreed-upon email standard yet. SPF and DKIM took years to get widespread adoption even after IETF published them.
- Regulatory push. The EU's AI Act and various anti-phishing regulations are moving in this direction, but mandating a specific technical mechanism across all email infrastructure globally is a different thing entirely.
- Mailbox provider enforcement. The Google and Yahoo 2024 requirements showed that when large mailbox providers act together, adoption happens fast. That's actually the most realistic path, not legislation.
- Deepfake pressure. As deepfake-generated email content becomes harder to detect by eye, demand for proof-of-origin authentication will grow. That's the most likely forcing function.
Could it become mandatory? Yes, in the same way DMARC became effectively mandatory for bulk senders: not through a single global law, but through enough major providers making it a condition of delivery. Universal adoption across every email system on earth is still a long way off (and honestly, legacy infrastructure will resist it for decades).
The practical takeaway for senders today: make sure your SPF, DKIM, and DMARC are solid. Whatever comes next will build on those foundations, not replace them.
Not sure your current authentication is in order? You can check with our free DMARC generator or SPF checker, or just ask us if something's broken ;)
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.