atproto identity DMARC

DIDMARC — hold the directory accountable

Independent, on-chain proof that plc.directory serves a DID's complete, current, and non-equivocated history — exposed as a graduated status any resolver or PDS can enforce unilaterally, with no network coordination and no protocol change.

Open the console →

The analogy

atproto identities are a signed, hash-linked log of operations served from one directory. Every op is self-certifying — but a single signature can't tell you whether you were shown the whole history. Email solved the same gap with a layered stack:

PLC ≈ DKIM

Each operation is signed by a then-valid rotation key. Per-op authenticity — already there.

DIDMARC ≈ SPF / DMARC

The layer a signature structurally can't provide: was I shown the complete, current, non-equivocated history? Verified on-chain.

How it works

Each opted-in DID's full operation log is re-verified from genesis inside a Starknet contract — the network proves the computation and settles to Ethereum; there is no bespoke prover and no trusted snapshot. The contract commits a proven DID→document root. A resolver fetches a document from the directory and checks it against that root, getting back a status. plc.directory stays canonical; DIDMARC is a read-side witness that anyone turns on alone — the way an email receiver enables DMARC.

The graduated status

Adoption is the DMARC ramp: start by logging the status, then quarantine on diverged, then refuse to relay — each resolver decides on its own.