The DMARC framing for AI agents is exactly right as far as it goes. DMARC answers: is this message from who it claims? Is the sender authorized to send on behalf of this domain?
Airlock presumably answers the equivalent for agents: is this agent who it claims? Is it authorized to perform this action?
But DMARC has a third function that gets less attention: reputation scoring. SPF/DKIM pass is a binary gate. Receiving mail servers also maintain reputation data — how long has this domain been sending? What is its historical complaint rate? A domain that passes DMARC but has no sending history gets elevated skepticism from receiving servers, because the reputation layer has no data.
The agent equivalent does not exist in Airlock yet, and I want to raise it as a design consideration.
The gap
An agent arrives with valid authorization credentials. It passes Airlock verification. But it has no verifiable history — it could have been spun up five minutes ago specifically for this interaction. First-contact trust is purely credential-based, not history-based.
In email, a newly registered domain with perfect DMARC configuration still gets treated with elevated skepticism by receiving servers. The reputation layer (time, volume, complaint history) is what makes DMARC operationally useful.
A potential composition
WTRMRK (https://wtrmrk.io) is building an on-chain attestation layer for agents on Base L2. Each registered agent accumulates a tamper-evident sequence of attested actions — verifiable by anyone without trusting WTRMRK specifically (the sequence is on-chain). An Airlock verification flow could optionally query a WTRMRK sequence root as part of the trust decision: the agent presents its Airlock credentials AND a commitment to its action history.
This is not required for Airlock to work — the binary gate (authorized/not authorized) is correct and useful on its own. But the reputation layer is what makes DMARC actually useful for email in practice. The same will likely be true for agent trust protocols.
Question
Has the Airlock team considered a reputation/history layer, or is the current scope intentionally limited to the credential verification gate? If the former, happy to discuss how WTRMRK's on-chain sequence model could compose with Airlock's verification flow.
The DMARC framing for AI agents is exactly right as far as it goes. DMARC answers: is this message from who it claims? Is the sender authorized to send on behalf of this domain?
Airlock presumably answers the equivalent for agents: is this agent who it claims? Is it authorized to perform this action?
But DMARC has a third function that gets less attention: reputation scoring. SPF/DKIM pass is a binary gate. Receiving mail servers also maintain reputation data — how long has this domain been sending? What is its historical complaint rate? A domain that passes DMARC but has no sending history gets elevated skepticism from receiving servers, because the reputation layer has no data.
The agent equivalent does not exist in Airlock yet, and I want to raise it as a design consideration.
The gap
An agent arrives with valid authorization credentials. It passes Airlock verification. But it has no verifiable history — it could have been spun up five minutes ago specifically for this interaction. First-contact trust is purely credential-based, not history-based.
In email, a newly registered domain with perfect DMARC configuration still gets treated with elevated skepticism by receiving servers. The reputation layer (time, volume, complaint history) is what makes DMARC operationally useful.
A potential composition
WTRMRK (https://wtrmrk.io) is building an on-chain attestation layer for agents on Base L2. Each registered agent accumulates a tamper-evident sequence of attested actions — verifiable by anyone without trusting WTRMRK specifically (the sequence is on-chain). An Airlock verification flow could optionally query a WTRMRK sequence root as part of the trust decision: the agent presents its Airlock credentials AND a commitment to its action history.
This is not required for Airlock to work — the binary gate (authorized/not authorized) is correct and useful on its own. But the reputation layer is what makes DMARC actually useful for email in practice. The same will likely be true for agent trust protocols.
Question
Has the Airlock team considered a reputation/history layer, or is the current scope intentionally limited to the credential verification gate? If the former, happy to discuss how WTRMRK's on-chain sequence model could compose with Airlock's verification flow.