Platform & Services
Company
- Copyright © Sendmarc
- Website terms
- Privacy policy
- Terms of service
- Security
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an important protocol created to reduce the risks associated with email spoofing and phishing attacks. Email regulators across the globe are increasingly mandating or recommending DMARC implementation with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to enhance email security.
DMARC is changing from an optional security measure to a critical requirement. While not universally mandated yet, it’s increasingly considered essential by many. Implementing DMARC not only helps organizations meet industry standards but also strengthens their defenses against email threats.
The tables below provide a detailed overview of international email security regulations and DMARC mandates. These regulations and recommendations come from various groups, including government authorities, industry regulators, and sector-specific compliance organizations.
Governments worldwide are increasingly implementing DMARC mandates to improve email security in both public and private sectors. These aim to protect critical infrastructure, secure communications, and reduce cybercrime.
Regulation
Region
What it means
Government emails must implement SPF, DKIM, and a DMARC policy of p=quarantine or p=reject.
BOD
Binding Operational Directive 18-01
Federal agencies must enforce STARTTLS, SPF, DKIM, and DMARC with a p=reject policy.
California SIMM
California Statewide Information Management Manual – 5315A
Yes
MS-ISAC
Multi-State Information Sharing and Analysis Center
United States
No
Yes
No
Yes
Yes
No
NZISM
New Zealand Information Security Manual v3.8
Yes
Yes
No
Regulation: Canadian government email policy
Region: Canada
What it means: Government emails must implement SPF, DKIM, and a DMARC policy of p=quarantine or p=reject.
Mandated for DMARC: Yes
Regulation: BOD – Binding Operational Directive 18-01
Region: United States
What it means: Federal agencies must enforce STARTTLS, SPF, DKIM, and DMARC with a p=reject policy.
Mandated for DMARC: Yes
Regulation: California SIMM – California Statewide Information Management Manual – 5315A
Region: United States (California)
What it means: State agencies must implement DMARC for email threat protection.
Mandated for DMARC: Yes
Regulation: MS-ISAC – Multi-State Information Sharing and Analysis Center
Region: United States
What it means: Configure DMARC, SPF, and DKIM to enhance cybersecurity.
Mandated for DMARC: No
Regulation: Denmark government mandate
Region: Denmark
What it means: All government agencies must implement a DMARC policy of p=reject.
Mandated for DMARC: Yes
Regulation: Ireland public sector cybersecurity standard
Region: Ireland
What it means: Public service bodies should enforce SPF, DKIM, and DMARC.
Mandated for DMARC: No
Regulation: Netherlands government mandate
Region: Netherlands
What it means: Government agencies must implement STARTTLS, DANE, SPF, DKIM, and DMARC.
Mandated for DMARC: Yes
Regulation: UK government secure email policy
Region: United Kingdom
What it means: Government departments must implement TLS, DMARC, DKIM, and SPF.
Mandated for DMARC: Yes
Regulation: India government email security guidance
Region: India
What it means: Implement SPF, DKIM, and DMARC for enhanced email security.
Mandated for DMARC: No
Regulation: NZISM – New Zealand Information Security Manual v3.8
Region: New Zealand
What it means: Government agencies must use DMARC with a policy of p=reject, SPF, and DKIM.
Mandated for DMARC: Yes
Regulation: Rwanda financial sector mandate
Region: Rwanda
What it means: Financial institutions must implement SPF, DKIM, and DMARC.
Mandated for DMARC: Yes
Regulation: Rwanda public sector email security standard
Region: Rwanda
What it means: Public institutions should implement DMARC to block email impersonation.
Mandated for DMARC: No
Various regulators and compliance bodies have introduced email security requirements to protect sensitive information and ensure business continuity.
Regulation
Region
What it means
CCPA
California Consumer Privacy Act
United States (California)
No
CIS
Center for Internet Security critical security controls
No
FedRAMP
Federal Risk and Authorization Management Program DMARC
Yes
CMMC
Cybersecurity Maturity Model Certification
United States
No
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
No
GDPR
General Data Protection Regulation
Requires businesses to protect personal data. By safeguarding email data from unauthorized access, DMARC helps with GDPR compliance.
No
No
No
Organizations should implement DMARC for active and parked domains.
No
Public sector organizations should implement cybersecurity measures like DMARC.
No
Yes
Configure SPF, DKIM, and DMARC with a p=reject policy to reduce email threats.
No
ECC
Saudi Arabia Essential Cybersecurity Controls
Yes
POPIA
Protection of Personal Information Act
No
Organizations sending over 5 000 emails a day must authenticate domains with TLS, DKIM, SPF, and a DMARC policy of p=none at minimum.
Yes
ISO/IEC
International Organization for Standardization / International Electrotechnical Commission 27001
International
Organizations must manage information security risks effectively for ISO/IEC 27001 compliance. Implementing DMARC can help companies comply.
No
Regulation: CCPA – California Consumer Privacy Act
Region: United States (California)
What it means: Enforces customer data protection; DMARC helps secure sensitive information.
Mandated for DMARC: No
Regulation: CIS – Center for Internet Security critical security controls
Region: United States
What it means: Implement DMARC to reduce successful email spoofing attacks.
Mandated for DMARC: No
Regulation: FedRAMP – Federal Risk and Authorization Management Program DMARC
Region: United States
What it means: Cloud service providers must enforce a p=reject DMARC policy.
Mandated for DMARC: Yes
Regulation Explained: CMMC – Cybersecurity Maturity Model Certification
Region: United States
What it means: Businesses working with the Department of Defense (DoD) must protect sensitive information. DMARC improves security, reducing the risk of information leaks.
Mandated for DMARC: No
Regulation: NIST CSF – National Institute of Standards and Technology Cybersecurity Framework
Region: United States
What it means: Organizations should reduce cybersecurity risks by implementing solutions such as DMARC.
Mandated for DMARC: No
Regulation: GDPR – General Data Protection Regulation
Region: European Union
What it means: Requires businesses to protect personal data. By safeguarding email data from unauthorized access, DMARC helps with GDPR compliance.
Mandated for DMARC: No
Regulation: France email security guidance
Region: France
What it means: Email administrators should implement SPF, DKIM, and DMARC.
Mandated for DMARC: No
Regulation: Germany ISP security guidance
Region: Germany
What it means: ISPs should use DMARC, SPF, and DKIM to combat Spam and phishing.
Mandated for DMARC: No
Regulation: Portugal cybersecurity recommendations
Region: Portugal
What it means: Organizations should implement DMARC for active and parked domains.
Mandated for DMARC: No
Regulation: Scotland cyber resilience action plan
Region: Scotland
What it means: Public sector organizations should implement cybersecurity measures like DMARC.
Mandated for DMARC: No
Regulation: UK public sector email security
Region: United Kingdom
What it means: Public sector emails must use TLS and DMARC to encrypt and authenticate email.
Mandated for DMARC: Yes
Regulation: Australia cybersecurity guidelines
Region: Australia
What it means: Configure SPF, DKIM, and DMARC with a p=reject policy to reduce email threats.
Mandated for DMARC: No
Regulation: ECC – Saudi Arabia Essential Cybersecurity Controls
Region: Saudi Arabia
What it means: Organizations must implement strong email protection, including SPF, DKIM, and DMARC.
Mandated for DMARC: Yes
Regulation: POPIA – Protection of Personal Information Act
Region: South Africa
What it means: Take reasonable measures to prevent unauthorized access to personal information. DMARC can enhance the protection of sensitive data.
Mandated for DMARC: No
Regulation: Google & Yahoo bulk sender requirements
Region: International
What it means: Organizations sending over 5 000 emails a day must authenticate domains with TLS, DKIM, SPF, and a DMARC policy of p=none at minimum.
Mandated for DMARC: Yes
Regulation: ISO/IEC – International Organization for Standardization/ International Electrotechnical Commission 27001
Region: International
What it means: Organizations must manage information security risks effectively for ISO/IEC 27001 compliance. Implementing DMARC can help companies comply.
Mandated for DMARC: No
Regulation
Region
What it means
PCI DSS
Payment Card Industry Data Security Standard v4.0
No
GLBA
Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act
No
Regulation: PCI DSS – Payment Card Industry Data Security Standard v4.0
Region: International
What it means: Requires automated mechanisms to detect and protect against phishing. DMARC, SPF, and DKIM are recommended best practices.
Mandated for DMARC: No
Regulation: GLBA – Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act
Region: United States
What it means: Requires financial institutions to protect customer data; DMARC can help enhance defenses.
Mandated for DMARC: No
Regulation
Region
What it means
Yes
HIPAA
Health Insurance Portability and Accountability Act
United States
Ensures privacy and security of patient data; DMARC can increase protection by reducing successful phishing attempts.
No
Regulation: UK NHS email security policy
Region: United Kingdom
What it means: NHS-accredited organizations must implement an email service that supports DMARC.
Mandated for DMARC: Yes
Regulation: HIPAA – Health Insurance Portability and Accountability Act
Region: United States
What it means: Ensures privacy and security of patient data; DMARC can increase protection by reducing successful phishing attempts.
Mandated for DMARC: No
DMARC is vital for authenticating email communications. By aligning SPF and DKIM with DMARC policies, organizations can reduce the risk of successful phishing and spoofing attacks. Email regulators mandating or recommending DMARC highlight its crucial role in protecting against cyberthreats.
The adoption of DMARC, SPF, and DKIM differs around the world, but the message is clear: Securing email communication is a necessity. As cyberthreats evolve, so will standards and mandates. Organizations must adopt these measures to safeguard their reputation, comply with requirements, and protect client data.
We’ve released a blog on everything Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) should know about DMARC global mandates.
Resources
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras et lacus suscipit mi tristique dignissim. In sit amet interdum dui, ac ullamcorper diam. Nunc a est eu orci egestas cursus at in ante. Vestibulum ligula urna, ultrices vitae velit quis.