Cutting through the noise: The real regulatory landscape for DMARC

When it comes to email security and regulatory compliance, there’s a lot of confusion. We’ve seen claims that Domain-based Message Authentication, Reporting, and Conformance (DMARC) is necessary under privacy data regulations when the mandates don’t require it.

While email security is important in protecting sensitive information, we believe in being clear about what regulations mandate DMARC and what points to its widespread enforcement.

In this article, we plan to highlight the actual DMARC mandates, debunk common misconceptions, and explain why DMARC still matters, even when it’s not required.

The actual DMARC regulations

DMARC is a powerful tool in the fight against email spoofing, a common tactic used in Business Email Compromise (BEC) attacks, which are expected to cost $3.22 billion this year, and phishing. But not every cybersecurity or data privacy regulation directly mandates it. Here’s a breakdown of the regulations that do require DMARC implementation and those that don’t:

Mandates that require DMARC

Many governments and regulatory bodies around the world have already made DMARC mandatory for specific industries:

Global

Google & Yahoo bulk sender requirements: Organizations sending over 5 000 emails a day must implement DMARC.

North America

Binding Operational Directive (BOD) 18-01: Requires U.S. federal agencies to implement DMARC with a p=reject policy.
California Statewide Information Management Manual (SIMM) – 5315A: Mandates DMARC for California state agencies.
Federal Risk and Authorization Management Program (FedRAMP) DMARC: Requires cloud service providers working with the U.S. federal government to enforce p=reject.
Canadian government email policy: Canadian federal agencies must have a DMARC policy of p=quarantine or p=reject.

Europe

Denmark, Netherlands, and UK: All have specific government mandates requiring DMARC implementation for public sector email security.

Other regions

New Zealand: Mandates a DMARC policy of p=reject for government agencies.
Saudi Arabia’s Essential Cybersecurity Controls (ECC): Requires strong email authentication, including DMARC.
Rwanda’s financial sector mandate: Financial institutions must implement SPF, DKIM, and DMARC.

What about other privacy laws?

One thing we’ve noticed is that many assume well-known data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) mandate DMARC. This simply isn’t true. These laws focus on protecting personal data, breach notifications, and consumer rights—but they don’t require companies to implement DMARC.

Other regulations that are mistakenly associated with DMARC include:

Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to secure customer data but doesn’t mandate DMARC.
Health Insurance Portability and Accountability Act (HIPAA): Protects patient data, but DMARC isn’t a compliance requirement.
Cybersecurity Maturity Model Certification (CMMC): Requires Department of Defense (DoD) contractors to safeguard sensitive information, but DMARC isn’t mandated.
International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001: A widely recognized cybersecurity framework, but it doesn’t specify DMARC as a requirement.
Payment Card Industry Data Security Standard (PCI DSS) v4.0: Mandates automated mechanisms to detect and protect against phishing but doesn’t require DMARC.

To be clear, while DMARC helps organizations align with the goals of these regulations—by reducing the risk of successful phishing attacks that could lead to data breaches—there’s no direct requirement to implement it.

Why DMARC matters without mandates

While not mandated by all regulatory frameworks, implementing DMARC can significantly strengthen your business’s email security posture. Here’s why DMARC is important, even without compliance requirements:

Enhances integrity & trust: DMARC, with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), helps authenticate the integrity of the email and the sender’s identity. This prevents cybercriminals from easily spoofing or impersonating your company’s domain, building trust with customers and business partners.
Improves deliverability: By aligning with SPF and DKIM, DMARC reduces the chance of legitimate emails landing in Spam. This can improve deliverability and increase the chance that important communications reach the intended recipients.
Provides more visibility: DMARC enables organizations to receive reports about emails sent from their domain, including those that fail DMARC checks. This visibility allows companies to monitor and control the use of their email domain, detecting unauthorized use and potential threats quickly.
Protects brand reputation: By reducing email fraud, businesses can protect their brand reputation from the negative impact of email-based attacks like social engineering, a common threat used in 98% of cyberattacks in 2024.

With DMARC, companies enhance their security measures and their operational efficiency while maintaining the trust of their stakeholders.

Transparency in DMARC guidance

At Sendmarc, we believe in cutting through the noise and providing accurate, actionable insights about DMARC adoption. We focus on what really matters:

Regulations that require DMARC implementation
Best practices and trends that show where DMARC mandates are heading
Clear guidance on how organizations can stay ahead of regulatory changes

If your organization is considering DMARC, the question isn’t if it’ll need it but when. And with phishing increasing, contributing to 932 923 cyberattacks in Q3 2024 alone, the sooner protection is in place, the better.

Interested in getting started? Contact us, and we’ll walk your business through the entire process.