Berkeley, California – October 19, 2015 – The Domain-based Message Authentication, Reporting, & Conformance (DMARC) specification has proven its value in combating fraudulent email since its introduction three and a half years ago. Thousands of companies use it to prevent billions of messages fraudulently using their Internet domains from reaching inboxes, thereby protecting their customers and employees from phishing and other abuse. And now two of the largest mailbox providers in the world – Google (NASDAQ: GOOG) and Yahoo (NASDAQ: YHOO) – have announced that they are extending that protection to cover more of their Internet domains

Yahoo Expanding Use of Strict DMARC Policies

On October 5th, Yahoo announced that they would expand their use of DMARC to protect users of their and services by November 2nd. This follows their success using DMARC to prevent a large-scale campaign of abuse of their Yahoo Mail services in 2014. At the time a Yahoo executive wrote in a company blog post, “And overnight, the bad guys … were nearly stopped in their tracks.” This was so successful that AOL followed suit later in the same month in response to a similar large-scale campaign targeting their marquee domain. Yahoo’s recent announcement also indicated that they would expand this coverage to additional domains in coming months.

Enabling DMARC To Protect More Types of Email

When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change. To address these issues, several workarounds were quickly deployed by service providers and mailing lists, and two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), is being presented at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) meeting in Atlanta, Georgia. The goal is to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft (NASDAQ: MSFT), and Yahoo, with an interoperability event being organized for the first quarter of 2016. [Draft ARC specification can be found here;draft recommended usage of ARC document can be found here.]

Google To Adopt Stricter DMARC Policies in 2016

To further bolster the proven utility of DMARC, Google has announced that they will be moving their hosted mailbox services to a similarly strict DMARC policy in 2016. “Google is committed to email authentication. In June of 2016, we will be taking a big step by moving to DMARC policy p=reject.” said John Rae-Grant, Lead Product Manager for Gmail. “We are pleased to be supporting the ARC protocol to help mailing list operators adapt to the need for strong authentication.”

“More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler,” said Steven Jones, Executive Director of “With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally.”

# # #

About is an initiative of the Trusted Domain Project (TDP), a non-profit and tax-exempt public benefit corporation, and is supported by the following sponsors: Agari, Comcast (NASDAQ: CMCSA), Farsight Security, Google, PayPal (NASDAQ: PYPL), and ReturnPath. is dedicated to promoting the use of DMARC and related email authentication technologies to reduce fraudulent email, in a way that can be sustained at Internet scale. More information about is available at the website