Email has always had a spoofing problem. Anyone can put anything in the “From” field of an email. For most of email’s history, that was manageable. A careful reader could catch the tells, such as a slightly off domain name, implausible urgency, or phrasing that doesn’t quite work. However, as AI usage becomes increasingly widespread, the way we engage with email is changing.

AI assistants are increasingly reading, summarizing, and actioning email on users’ behalf. AI filters are making consequential decisions about what reaches inboxes at all. In that world, “Did the message arrive?” matters a lot less than “Can we actually verify where it came from?” The answer to that question depends on a set of standards most email users have never had reason to think about, but that are quietly becoming the foundation everything else is built on.

What is email authentication?

Email authentication is made up of three interlocking standards: SPF, DKIM, and DMARC. SPF verifies that the server sending a message was authorized to do so on behalf of that domain. DKIM attaches a cryptographic signature to each message so the receiving server can confirm it hasn’t been altered in transit. DMARC ties those two together and tells receiving servers what to do when a message fails those checks: reject it, quarantine it, or let it through.

Together, they’re how your inbox can tell whether a message claiming to come from your bank or your employer really did. Without them, a spoofed message is indistinguishable from a legitimate one. While this is not a new problem, as the way we interact with email changes, it becomes a much bigger one.

How AI factors into this

Two kinds of AI are now becoming standard features of the email experience. The first is AI filtering: the systems that decide what’s spam, what’s phishing, and what deserves your attention. These have existed for years, but modern versions are significantly more capable, and authentication results are increasingly a core input into how they make decisions.

The second is AI assistance: tools that summarize your inbox, surface action items, draft replies, and in some cases take actions on your behalf. It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.

But across the broader email landscape, AI assistants acting autonomously on inboxes are becoming increasingly common. That’s where authentication becomes critical. A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things. It reads the content, notes the urgency, and acts accordingly. If that message is a convincing spoof, as much AI-generated phishing is now, authentication is the safeguard that should stop it before it ever reaches your mailbox.

Authentication is becoming infrastructure

In early 2024, Google and Yahoo began requiring bulk senders to have DMARC properly configured as a condition of reliable delivery. This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes. It’s the same trajectory HTTPS followed on the web: starting as a best practice, then an expectation, then infrastructure. Even if you don’t understand what the padlock in your browser bar actually means, you’ve likely come to learn that its absence when viewing a website is a warning sign you can’t ignore. Email authentication is heading in the same direction.

New standards are being built on this foundation. BIMI lets verified senders display their logo directly in supporting inboxes, a small but meaningful visual trust signal at a time when AI-generated phishing is harder than ever to spot by content alone. The design of DKIM is being re-visited with some of the lessons learned from the experimental ARC specification, to track and attribute changes for complex email flows, so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.

That said, authentication alone is not a complete solution. Authentication confirms domain identity, not intent. A scammer with a convincing look-alike domain and a properly configured DMARC record will still pass sender authentication checks. However, authentication raises the cost and complexity of impersonation significantly, which matters more as the future of email becomes more automated.

The inbox of the future will be faster, smarter, and more capable than what most of us use today. Authentication is what keeps that future trustworthy, not just convenient. The standards have been maturing for years, and the work now is to keep building on that foundation as email becomes more automated.

Email is not going anywhere

Everybody needs email. It’s where banks send statements, doctors send appointments, every other site sends password resets. Everybody has email. The best indicator for a technology’s longevity is how long it has already existed, and email has been around for a long time! Fastmail is at the forefront of developing the standards which will underpin the email of the future, and we will continue to evolve with email to make things better for everyone.