DMARC Mandates and Guidance Worldwide: Keep Your Domain in Compliance
Estimated reading time: 10 minutes
Every email marketer is familiar with DMARC because, since its introduction back in 2012, it has remained the primary domain security control and the main email authentication standard worldwide. Understanding and complying with global DMARC (Domain-based Message Authentication, Reporting, and Conformance) requirements is imperative to avoid unnecessary risks.
DMARC is an email authentication and reporting protocol that improves not only email security but also deliverability. It enables organizations to verify that email was sent from a trusted source rather than from bad actors such as hackers, spammers, or phishers.
But as in any professional field, it is worth remembering the legal requirements and your obligations. That’s why domain owners often wonder whether DMARC is mandatory and whether they need to implement it in their emails. In this article, we’ll take a look at DMARC requirements in different countries to keep you up-to-date.
DMARC In Cyber Security: A Quick Overview
DMARC is known for its proven usefulness in protecting your email domains from cyber threats. Publishing a DMARC record in the DNS allows the domain owner to know who is sending emails on behalf of their domain. Since it provides detailed information about the email channel, the domain owner gains full control over it. This way, you can ensure that your customers and email recipients receive emails sent on your behalf without failure. In addition, it confirms the authenticity of the source of the email sent from the domain and prevents other scammers from sending any emails on your behalf.
Want to get your domains in compliance? GlockApps is here to help!
Why Knowing DMARC Rules Is Important
Being aware of DMARC rules is not only about securing your reputation, it’s also about complying with increasingly stringent regulations around the world. Implementing the right DMARC practices will help you prevent security breaches and protect customer trust, giving you confidence and the ability to run your campaign flawlessly.
If you are looking for answers to the questions of who is requiring DMARC and whether you need to implement DMARC to comply with the current legislation, keep reading our article.
DMARC Mandates and Guidance Worldwide: A Comprehensive Country List
Cybercrime has grown exponentially in recent years, with phishing becoming the most popular attack method. This situation has led to the need for email authentication to prevent domain spoofing.
All of this has drawn attention to the introduction of DMARC as the simplest and most effective way to protect senders and recipients from domain spoofing, as it was created to reduce such threats to email. The number of regulators and organizations making email authentication mandatory continues to grow. We’ve compiled a comprehensive list of available DMARC guides and requirements to follow.
Find your country of operation and the latest global practices in the table below:
| Geo Location | Description | Mandate Type | Information |
| Global | New email requirements from Gmail for bulk senders of more than 5,000 messages daily | Compliance mandate | Source |
| Global | Anti-phishing mechanisms in PCI DSS V4.0: Organizations must implement DMARC with a policy of p=reject or p=quarantine by March 8, 2025 | Compliance mandate | Source |
| Global | fTLD Implements DMARC for Public Suffix Domains: As the first non-governmental TLDs to adopt PSD DMARC protections, fTLD’s new requirement straightens security helping to protect domains from phishing and improving email deliverability. The introduction of PSD DMARC on November 15, 2023, adds an extra layer of protection. | Compliance mandate | Source |
| Global | 2024 Email Landscape Shift: Gmail and Yahoo Raise the Bar for Senders | Compliance mandate | Source |
| Australia | Information Security Manual – June 2024 – Guidelines for Email | Guidance | Source |
| Australia | How to Combat Fake Emails – The publication provides information and advice for security professionals and email server operators on SPF, DKIM, and DMARC to prevent their domains from being used as a source of spoofed emails. | Guidance | Source |
| Australia | Strategies to Mitigate Cyber Security Incidents – Mitigation Details by the Australian Signals Directorate (ASD) | Guidance | Source |
| Belgium | Ransomware protection and prevention with DMARC, SPF, and DKIM – Centre for Cyber Security Belgium | Guidance | Source |
| Canada | Implementation guidance: email domain protection (ITSP.40.065 v1.1) – Canadian Centre for Cyber Security | Guidance | Source |
| Czech Republic | The Act on Cyber Security – Implementation Guidance – Email Domain Protection: 3.3. Domains used for sending electronic mail must have a DMARC record (IETF RFC 7489) published in DNS with at least the following parameters: 3.3.1. Requested Mail Receiver policy (p) set to quarantine or reject 3.3.2. Sampling rate (pct) set to 100 (default value) | Compliance mandate | Source |
| Denmark | All Danish authorities are required to implement DMARC’s policy of «rejection» of all domains they own | Compliance mandate | Source |
| European Union | Best Practices for Email Marketing – eco Competence Group E-Mail – recommends using DMARC on the organizational domain to protect the entire brand (and not only an exchangeable sub-domain). | Guidance | Source |
| European Union | Email communication security standards – EU Internet Standards Deployment Monitoring Website | Guidance | Source |
| European Union | DMARC – Defeating E-Mail Abuse – CERT-EU Security Whitepaper 17-001 | Guidance | Source |
| Finland | How to protect your Microsoft 365 services – Protection measures for Exchange Online servers – National Cyber Security Centre, Finnish Transport and Communications Agency Traficom | Guidance | Source |
| France | Cyber Threat Overview 2021 – Agence Nationale De La Sécurité des Systèmes D’Information | Guidance | Source |
| France | Guideline For a Healthy Information System – Strengthen Information System Security In 42 Measures: Implementation of authentication mechanisms and correct configuration of public DNS records associated with its email infrastructure (MX, SPF, DKIM, DMARC). | Guidance | Source |
| Germany | Recommendations for action for Internet service providers – BSI publications on cyber security | E-mail security – 3.1 Email authentication | Guidance | Source |
| India | Guidelines on Information Security Practices for Government Entities – 10.2. Email server | Guidance | Source |
| India | Cyber Security Framework in Banks – Reserve Bank Information Technology Private Limited – Level I Compliance: To comply with this RBI control, financial institutions need to implement security measures to prevent/mitigate email-based cyber attacks | Compliance mandate | Source |
| Ireland | Public Sector Cyber Security Baseline Standards: As part of the National Cyber Security Strategy 2019-2024, a commitment was made to publish a Cyber Security Baseline Standard for Government ICT services. Section 2.9 of this guidance, focused on email security, specifically recommends using SPF, DKIM, DMARC, and TLS. | Guidance | Source |
| Netherlands | Mandatory guidelines on safety, protection of personal data, accessibility, and transparency (including DMARC, DKIM, and SPF) – Public and Communications Department Ministry of General Affairs | Compliance mandate | Source |
| New Zealand | ISM Document: 15.2. Email Infrastructure – Anti-Spoofing Controls: DMARC, DKIM, and SPF should be implemented | Guidance | Source |
| New Zealand | DMARC, DKIM -Update to section 15.2 of ISM Document: Change of DMARC control compliance from SHOULD to MUST, policy setting from p=”none” to p=”reject” | Compliance mandate for agencies | Source |
| Norway | Basic Measures for Email Security: DMARC is recommended for email security measures | Guidance | Source |
| Philippines | DICT on Cybersecurity Measures against WannaCry Ransomware: Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like SPF, DDMARC, and DKIM to prevent email spoofing | Guidance | Source |
| Poland | Act on Combating Abuse in Electronic Communications – New Obligations for Email Providers and Public Institutions: Since September 25, 2023, to counteract spoofing and smishing, public entities must use email using SPF, DKIM, and DMARC mechanisms to verify the message’s sender | Compliance mandate | Source |
| Portugal | Technical Recommendation 01/2019: Recommendation using the SPF, DKIM, and DMARC standards for e-mail security strengthening in organizations. | Guidance | Source |
| Portugal | Technical Recommendation 01/2020: The following four actions, based on the publication of specific domain name records (DNS) — SPF, DKIM, DMARC, and MX — will notify recipients that no emails should originate from a “parked” domain and that any such emails should be discarded. These measures should be implemented in the order listed. | Guidance | Source |
| Rwanda | Minimum Cybersecurity Standards for the Financial Sector: Use of “hard fail” SPF TXT methods, DKIM configuration, DMARC DNS records to block emails impersonating your organization | Guidance | Source |
| Rwanda | Minimum Cybersecurity Standards for Public Institutions: Use of “hard fail” SPF TXT methods, DKIM, and DMARC DNS records to block emails impersonating your organization | Guidance | Source |
| Saudi Arabia | Phishing Campaigns for Emotet Malware: Implement DMARC, a validation system that minimizes spam emails by detecting email spoofing using DNS records and digital signatures | Guidance | Source |
| Scotland | Scottish Public Sector Cyber Resilience Framework V1.2. Protect: Category 13. Operational Security; 13.2 Email Security: DMARC is in place along with DKIM and SPF records. Spam and malware filtering is present and DMARC is enforced on inbound email. | Guidance | Source |
| Singapore | Business Email Compromise (BEC) Playbook: Organizations can use DMARC to prevent malicious (e.g. spoofed, phishing) emails from reaching their users’ main inbox | Guidance | Source |
| Singapore | The Internet Hygiene Portal by The Cyber Security Agency of Singapore (CSA): The importance of DMARC which enhances email security by preventing email spoofing | Guidance | Source |
| United Kingdom | The National Cyber Security Centre – Phishing attacks: Defending your organisation: Setting up DMARC stops phishers from spoofing your domain. | Guidance | Source |
| United Kingdom | Using Domain-based Message Authentication, Reporting and Conformance (DMARC) in your organisation | Guidance | Source |
| United Kingdom | A guide for IT managers and systems administrators: Email security and anti-spoofing | Guidance | Source |
| United States | CIS Critical Security Controls – Email and Web Browser Protections: 9.5: Implement DMARC | Guidance | Source |
| United States | The advisory from the FBI, U.S. State Department, and NSA emphasizes that organizations are strongly encouraged to update their DMARC policies to mitigate phishing attacks. Proper configurations: “Quarantine” or “Reject” emails that fail authentication, where “Quarantine” means that mail servers should treat unauthenticated emails as potential spam, and “Reject” tells the servers to block such emails completely | Guidance | Source |
| United States | Phishing Guidance: Stopping The Attack Cycle At Phase One from CISA, NSA, FBI, and MS-ISAC: Enable DMARC for received emails, and set the policy to “reject” for sent emails for robust protection against other users receiving emails that impersonate a domain. Provide email software with DMARC enabled for received emails by default. Provide email software with DMARC configured to “reject” for sent emails by default | Guidance | Source |
| United States | Ransomware Guide from Multi-State Information Sharing and Analysis Center (MS-ISAC): To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification | Guidance | Source |
| United States | Cisa Insights -Enhance Email & Web Security: Recommendations for enhancing email security: Configure all internet-facing mail servers to offer STARTTLS, and all second-level organization domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/ or failure reports | Guidance | Source |
| United States | Stop Ransomware by CISA: Defend Today, Secure Tomorrow – DMARC document | Guidance | Source |
| United States | Cross-Sector Cybersecurity Performance Goals – Email Security: Recommended action for reducing risk from common email-based threats, such as spoofing, phishing, and interception. On all corporate email infrastructure, DMARC is enabled and set to “reject.” | Guidance | Source |
| United States | National Institute of Standards and Technology – Special Publication 800-177 -Trustworthy Email: 4.6 Domain-based Message Authentication, Reporting and Conformance (DMARC) | Guidance | Source |
| United States | Binding Operational Directives 18-01: Enhance Email and Web Security: All agencies are required to enhance email security. All second-level agency domains must have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports. Add the NCCIC as a recipient of DMARC aggregate reports. Set a DMARC policy of “reject” for all second-level domains and mail-sending hosts. | Compliance mandate | Source |
Is Your DMARC Properly Configured?
Why DMARC Enforcement Is Crucial
As we can see, security organizations worldwide, including government and industry authorities, strongly recommend reaching DMARC enforcement to protect against email-related threats.
Despite these clear benefits, many organizations struggle to achieve enforcement, as the vast majority of domains are stuck at p=none, which provides no more protection than no DMARC record at all. Getting to enforcement is where the true value of DMARC and email authentication begins.
The main goal of authentication is to prevent phishing and spoofing attacks effectively and to do so, it’s important to go beyond the initial p=none configuration and enforce DMARC with p=quarantine or p=reject. While p=none collects valuable data, you can only truly protect your domain when implementing a quarantine or reject policy.
At enforcement, only authorized emails that use your domain get through, while all other emails are either sent to spam or deleted. Not only does this increase security, but it can also improve email deliverability. Companies that switch to enforcement, in fact, often see an increase in email deliverability rates.
Protect Your Email and Customers – Get Started with DMARC Analyzer
Not sure how to get your domain into DMARC compliance? You can start using DMARC Analyzer from GlockApps today with 10,000 free monthly DMARC messages and unlimited domains. Our support team, comprehensive guides, and in-depth analytics are always here to assist you every step of the way on your DMARC journey.
Ready to begin? Protect your domain and those who depend on your email – get started with DMARC Analyzer today
Related Posts
The FBI, U.S. Department of State, and NSA have issued a warning about North Korean cyber actors exploiting weak DMARC Read more
As you may already know, email security is critical to ensuring proper communication. One of the most important tools in Read more
Learn how DMARC Analytics digests can help you fix email authentication issues and get more emails delivered to Inbox
Cyber threats in 2021 have reached shocking heights. There are numerous new phishing emails related to COVID-19. According to Verizon, Read more