A Brief History of DMARC

The history of DMARC goes back as far as 2012. At the time, there were no established protocols for authenticating email, so it was pretty much up to each company to determine how best to protect its brand from being spoofed.

As email marketing became more popular among businesses, many bad actors began using fake email addresses to send spam marketing pitches or phishing attempts, which led to significant problems for legitimate marketers trying to reach their customers.

A draft specification for DMARC was published on January 30th, 2012, and has been maintained since then. In October 2013, GNU Mailman 2.1.16 was released with options to handle posters from a domain with the DMARC policy of p=reject. In April 2014, Yahoo changed its DMARC policy to p=reject, causing misbehaviour in several mailing lists, and AOL followed with the same change days later.

What is DMARC's Current State?

In 2015, the DMARC specification was published under RFC 7489 as an Informational document and adopted by organizations worldwide. It remained the reference for over a decade. Then, in May 2026, DMARC took its biggest step yet: the IETF DMARC Working Group published the updated specification as three Standards Track documents that obsolete RFC 7489. RFC 9989 covers the core protocol, RFC 9990 governs aggregate reports, and RFC 9991 governs failure reports. This elevated DMARC from an Informational RFC to a formal Internet Standard, reflecting more than a decade of real-world deployment.

The good news is that DMARC adoption has been growing steadily, but we're still not there yet. Less than half of organizations globally have adopted DMARC, and even fewer have reached enforcement. This scenario needs to change at the earliest to protect emails against spoofing, phishing, and other email attack vectors.