Global mandates and guidance for DMARC in 2024
For cybersecurity, email security and IT teams, understanding and adhering to global DMARC (Domain-based Message Authentication, Reporting, and Conformance) requirements is imperative.
At Red Sift, we have put together a tabulated overview of DMARC mandates and guidance enforced across different regions worldwide. Our aim is to provide a clear, unambiguous guide that consolidates the varying global requirements into one accessible format.
Whether you are an IT security professional, email administrator, or a compliance officer, this table will serve as an essential tool to ensure your organization’s email security aligns with international best practices and requirements.
Global DMARC mandates and guidance
Affected Geo | Name | Description | Mandate type | Learn more |
Global | New requirements for bulk senders | Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none. | Private sector mandate | |
Global | PCI DDS v4.0 Req 5.4.1 | “Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM. | Compliance mandate | |
Canada | Email Management Services Configuration Requirements | Ensure that the sender or recipient of government email can be verified using inbound mail using the Sender Policy Framework; Domain Keys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting and Conformance (DMARC). | Mandate for government agencies | |
Denmark | Minimum technical requirements for government authorities 2023 | All governmental agencies are required to implement a DMARC policy of p=reject on all domains. | Mandate for government agencies | |
New Zealand | 2022 New Zealand Information Security Manual, v3.6, section 15.2 | The future replacement for SEEMail will use DMARC and therefore vendors and agencies will need to be compliant. 1. Change of DMARC control compliance from SHOULD to MUST [CID:6019] [CID:6021] 2. Change of DMARC policy setting from p=”none” to p=”reject” [CID:6020] 3. Change of DKIM control compliance from SHOULD to MUST [CID:1797] [CID:1798] | Mandate for government agencies | |
Ireland | Public Sector Cyber Security Baseline Standards, section 2.9 | Public service bodies must implement TLS, SPF, DKIM, and enforce DMARC on all inbound mail. | Mandate for government agencies | |
Netherlands | “Comply or Explain” standards | Mandatory guidelines for government agencies require DKIM, SPF, and DMARC as well as STARTTLS and DANE. | Mandate for government agencies | |
Saudi Arabia | Guide to Essential Cybersecurity Controls (ECC) Implementation, section 2-4-3 | National organizations must implement all necessary measuresto analyze and filter email messages (specifically phishing emails and spam) using advanced and up-to-date email protection techniques. Recommended approachesinclude DKIM, SPF, and DMARC. | Mandate for government agencies | |
UK | Government Cybersecurity Policy Handbook Principle: B3 Data Security | Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard. | Mandate for government agencies | |
UK | Securing government email | All emails that public sector organizations run on the internet must encrypt and authenticate email by supporting TLS and DMARC at minimum. | Mandate for government agencies | |
UK | Updating our security guidelines for digital services | Any service that runs on service.gov.uk must have a published DMARC policy. | Mandate for government agencies | |
United States | Binding Operational Directive 18-01: Enhance Email and Web Security | Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject. | Mandate for government agencies | |
Australia | Cybersecurity guidelines: Guidelines for Email | Recommends implementing SPF, DKIM, and DMARC with a policy of p=reject | Guidance | |
Australia | How to combat fake emails | Suggests using SPF, DKIM, and DMARC to prevent domains from being used as the source of fake emails. | Guidance | |
Australia | Malicious email mitigation strategies | Recommends the most effective methods of protecting organizations from email-borne attacks, and includes deploying DKIM, SPF, and DMARC with a “p=reject” policy. | Guidance | |
Canada | Implementation guidance: email domain protection (ITSP.40.065 v1.1) | For complete protection against spoofing, organizations should implement SPF, DKIM, and DMARC. | Guidance | |
EU | Email communication security standards | Recommends using STARTTLS, SPF, DKIM, DMARC, and DANE to protect email communications. | Guidance | |
Germany | Measures to defend against spam and phishing, Section 3.1 | Proposed measures to internet service providers that can be used to reduce the malware and spam problem SPF, DKIM and DMARC. | Guidance | |
Saudi Arabia | Phishing Campaigns for Emotet Malware | Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC) to detect email spoofing using Domain Name System (DNS) records and digital signatures. | Guidance | |
Scotland | A Cyber Resilience Strategy for Scotland: Public Sector Action Plan 2017-2018, v2 | Public bodies should take advantage of DMARC anti-spoofing. | Guidance | |
UK | Email security and anti-spoofing v2 | Make it difficult for fake emails to be sent from your organization’s domains using SPF, DKIM, and DMARC with a policy of at least p=none, including parked domains. Protect your email in transit with TLS. | Guidance | |
UK | Phishing attacks: defending your organisation v1.1 | DMARC, SPF, and DKIM are Layer 1 defenses for stopping spoofed emails used to attack an organization. | Guidance | |
United States | CIS Critical Security Controls v8.0, IG2-9.5 | Implement DMARC policy and verification, starting with Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. | Guidance | |
United States | CISA INSIGHTS Enhance Email &Web Security | Enable DKIM, SPF, and DMARC with a policy of p=reject. | Guidance | |
United States | Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware Guide | To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification. | Guidance | |
United States | NIST 800-53 Security Controls Catalog Revision 5: SI-08 | Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages. DMARC, SPF, and DKIM are one way to address this. | Guidance | |
United States | NIST Special Publication 800-177Revision 1: Trustworthy email | Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email. | Guidance |
Where to go from here?
The landscape of email security and authentication is constantly evolving.
At Red Sift, we understand the complexities involved in implementing and managing DMARC. Our award-winning Red Sift OnDMARC is designed to simplify the path to DMARC enforcement, offering you best-in-class technology and expertise.
