Global Email Authentication & DMARC Requirements

Over the past few years, Google, Yahoo, and other major email providers made significant changes to their email security requirements. Today, authenticating domains with DMARC, DKIM, SPF, and MTA-STS is a requirement across various industries and countries. 

Such a drastic change in the approach of major email providers, government agencies, and regulatory bodies is a stark reflection of a global effort towards strengthening email security. The aim is to enhance email deliverability, lower spam rates, and reduce email-based cyber attacks that can cause major data breaches and reputational damage. 

With these fast-evolving requirements, we are likely to soon witness DMARC become an integral component of mandatory cybersecurity strategies worldwide.

Region-Specific DMARC Requirements

RegionRequirement NameRequirement DescriptionSource LinkDate
GlobalGoogle Bulk Sender RequirementsBulk senders (over 5,000 emails/day) must authenticate domains with TLS, DKIM, and SPF, and have a DMARC policy of at least p=none.Read morePut into effect from February 2024
GlobalYahoo Bulk Sender RequirementsBulk senders (over 5,000 emails/day) must authenticate domains with TLS, DKIM, and SPF, and have a DMARC policy of at least p=noneRead morePut into effect from February 2024
GlobalPCI-DSS version 4 compliance requirementsPCI DSS v4.0 requires automated mechanisms to prevent phishing; best practices suggest using DMARC, SPF, and DKIM.Read moreWill be put into effect from March 2025
EU countriesGDPR (General Data Protection Regulation)Under GDPR, you are required to have Data Processing Agreements (DPAs) with every single cloud service provider that, on behalf of your entity, handles the European consumers’ data.Read moreIntroduced in May 2018
EU countriesDORA (Digital Operational Resilience Act)By applying to 20 different types of financial entities and ICT third-party service providers, the Digital Operational Resilience Act (DORA) aims to harmonize the rules regarding the operational resilience of the financial sector (i.e. banks, insurance companies, investment firms, etc.). DMARC can be of significant importance for financial institutions, as it offers protection from email-based cyber attacks, indirectly helping ensure compliance with the DORA Act.Read morePut into effect from January 2023
CanadaEmail Management Services Configuration RequirementsGovernment emails must be verified using SPF, DKIM, and DMARC.Read moreLast modified in 2024
DenmarkMinimum technical requirements for government authoritiesGovernment agencies must implement a DMARC policy of p=reject on all domains.Read morePut into effect from March 2023
New ZealandNew Zealand Information Security Manual version 3.6Change of DMARC and DKIM control compliance from SHOULD to MUST and DMARC policy setting from p="none" to p="reject".Read morePut into effect from September 2022
IrelandPublic Sector Cyber Security Baseline StandardsThe Public Sector Cyber Security Baselines suggest using SPF, DKIM, DMARC, and TLS to enhance email security. However, this is only a suggestion and not a requirement.Read morePut into effect from November 2022
Netherlands“Comply or Explain” standardsIt is a requirement for government agencies to implement DMARC, along with DKIM, SPF, STARTTLS, and DANE. This is part of the “Comply or Explain” standards for email protection and authentication.Read morePut into effect from December 2023
Saudi ArabiaGuide to Essential Cybersecurity Controls (ECC) ImplementationSaudi Arabian organizations are recommended to use DKIM, SPF, and DMARC as advanced phishing protection techniques to filter out fraudulent messages.Read moreECC was published by the NCA in 2018
UKGovernment Cybersecurity Policy Handbook PrincipleIn March 2024, the Government Cyber Security Policy replaced the Minimum Cyber Security Policy. This update moved MTA-STS and TLS-RPT from ‘recommended’ to ‘must do’ and added a reference to PTR records.Read morePublished in August 2016 Last modified in March 2024
United StatesBinding Operational Directive 18-01The binding Operational Directive 18-01 requires all federal agencies to use STARTTLS, SPF, DKIM, and a DMARC policy of p=rejectRead morePublished/Last modified in October 2017
United StatesHIPAA (Health Insurance Portability and Accountability Act)Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HIPAA Privacy Rule determines national standards for safeguarding certain sensitive health-related information. DMARC can be an essential tool in ensuring compliance with HIPAA regulations.Read morePut into effect from August 1996
AustraliaInformation Security Manual by the ASD (Australian Signals Directorate)Recommends using SPF, DKIM, and DMARC to keep email-based threats at bay.Read moreLast updated in June 2024

What Can You Do to Ensure Compliance?

With ever-changing DMARC compliance requirements and policy updates, it is very easy to get lost in understanding which policy applies to your particular geographical area, industry, and your organization’s email security needs. 

The good news is that you’re not alone in this! PowerDMARC can help you navigate the complexities of DMARC regulations and requirements and stay compliant regardless of how fast or abruptly they change. We are trusted by Fortune 100 Organizations across 80 countries and 1000+ MSP/MSSPs worldwide!

Contact Us Today to Ensure Compliance with the Latest DMARC Mandates!