Key Takeaways
- Italy’s National Cybersecurity Agency (ACN) launches a national Email Authentication Framework to strengthen defenses against phishing and spoofing.
- The Framework recommends SPF, DKIM, and DMARC as a three-layered approach to secure email communication.
- This applies to all organizations – from government bodies to small businesses, since all are targets of email fraud.
- ACN also emphasizes ongoing staff training to reduce human error and improve cyber resilience.
- This aims to boost national cybersecurity by promoting safer, more trustworthy digital communication.
Italy’s National Cybersecurity Agency (ACN) has introduced a new Email Authentication Framework to combat phishing and email fraud. Italy’s DMARC adoption framework recommends a three-layered approach using SPF, DKIM, and DMARC to verify senders, block spoofed emails, and protect against cyberattacks. ACN also highlights the importance of staff training to reduce human error.
Why Italy is Recommending DMARC, SPF, and DKIM
Email remains the most widely used communication channel for businesses, government entities, and citizens, but it is also one of the most exploited by cybercriminals. Attackers frequently impersonate trusted domains to deliver phishing emails, spread malware, and trick recipients into sharing sensitive information.
The ACN framework targets two of the most effective and damaging types of email-based attacks: phishing and spoofing.
- Phishing: In phishing, Phishing involves fraudulent emails disguised as legitimate ones, often posing as banks, suppliers, or executives. They trick recipients into harmful actions using fake links, infected attachments, or urgent requests.
- Spoofing: Spoofing is when hackers fake the sender’s identity, making emails appear from trusted addresses like ceo@company.com, while actually sent from malicious servers.
ACN’s Email Authentication Recommendations
The ACN came up with a three-layered defense strategy to counter these threats.
SPF
Think of SPF as the first line of defense. It serves to verify that an email is sent from an authorized mail server. It works by checking a specific TXT record published in the domain’s DNS.
DKIM
DKIM is another email authentication protocol that digitally signs emails with asymmetric cryptography. The recipient’s mail server then verifies this signature. It does so by retrieving the corresponding public key from the sender’s DNS. This helps confirm the email’s authenticity and that it hasn’t been manipulated in transit.
DMARC
DMARC unifies SPF and DKIM. It allows domain owners to tell receiving mail servers how to deal with emails that fail SPF or DKIM checks. When properly configured according to the Italy DMARC guidelines, DMARC minimizes the likelihood that fraudulent emails are delivered. It enables policies such as quarantine (send to spam) or reject (block delivery). It also provides a mechanism for sending diagnostic reports back to the domain owner.
How Italian Organizations Can Adopt DMARC: Step-by-step
The ACN has provided clear technical details for implementing each protocol via DNS records.
Step 1: Configure SPF
You can use PowerDMARC’s SPF generator to generate your SPF record instantly for free. If you already have an SPF record but need to check its accuracy, use PowerDMARC’s free SPF checker tool.
- Record Type: TXT.
- Name/Host: @ or your domain, e.g., <nomedominio.it>.
- Value: v=spf1 ipv4:<xxx.xxx.xxx.xxx> include:_spf.provider.com -all.
- In this value, you must replace
<xxx.xxx.xxx.xxx> with your mail server’s IP address and provider.com with your email provider (e.g., Google, Microsoft). - The -all flag tells receiving servers that emails coming from any other server not specified in the record should be rejected.
- In this value, you must replace
Step 2: Configure DKIM
You can create DKIM records in seconds with PowerDMARC’s free DKIM record generator. You can also use our DKIM checker to look up, check, and validate your DKIM DNS record in seconds.
- Action: First, generate a public/private key pair through your mail server or email provider.
- Record Type: TXT.
- Name/Host: <selettore>._domainkey.<nomedominio.it> (note that <selettore> is a unique name you choose).
- Value: v=DKIM1; k=rsa; p=MIIBljANBg… (the p= tag contains the complete public key that you generated).
- Server Configuration: You need to configure the mail server to digitally sign outgoing messages with the corresponding private key.
Step 3: Configure DMARC
Setting up DMARC requires an understanding of your email flows and active monitoring of reports to set the correct policy. Errors can lead to security and deliverability problems.
To avoid this, use PowerDMARC’s DMARC generator tool. This takes away the manual hassle.
- Record Type: TXT.
- Name/Host: _dmarc.<nomedominio.it>.
- Value: v=DMARC1; p=reject; rua=mailto:dmarc-report@<nomedominio.it>; ruf=mailto:dmarc-fail@<nomedominio.it>; sp=reject; adkim=s; aspf=s.
Additional Considerations and Best Practices from the ACN
To ensure the effectiveness of the Italy DMARC framework, the ACN provides the following additional considerations and best practices:
- The sender’s domain must correctly publish the SPF, DKIM, and DMARC records in its DNS.
- The sending mail server must be configured to sign outgoing messages with DKIM.
- Receiving email servers must be configured to perform SPF and DKIM verifications and apply the sender’s DMARC policy.
- It’s important to continuously monitor DMARC reports to detect configuration errors or attempts at abuse.
Summing Up
It’s encouraging to see ACN urging stronger email security with its Italy DMARC and email authentication initiative. While not mandatory, the framework offers a clear path to fight phishing and spoofing. By adopting SPF, DKIM, and DMARC, organizations and government entities in Italy can ensure safer communication.
No matter where you’re situated, if you are looking for a trusted, industry-leading DMARC provider to simplify and automate email authentication deployment and management processes for your mission-critical domains, contact PowerDMARC today!
Frequently Asked Questions
Who does ACN’s new email authentication recommendations apply to?
The ACN’s framework applies to all organizations and government entities in Italy. This is because organizations of any size, as well as public sector domains, can become victims of impersonation threats.
Are there any direct costs associated with implementing SPF, DKIM, and DMARC?
The protocols are free, but you may face indirect costs, like hiring IT support to manage DNS setup and analyze DMARC reports. A DMARC analyzer tool or trusted DMARC provider makes the process easier at an affordable price.
Does the ACN provide a specific deadline for implementing the Italy DMARC framework?
No, the document published by the ACN does not specify a compliance deadline. It is presented as a foundational framework and a set of strong recommendations for improving security. Early adoption boosts your security and deliverability rates significantly.
- Italy’s National Cybersecurity Agency Recommends DMARC and Email Authentication Adoption - September 2, 2025
- Advanced DMARC Configuration Tips for Enterprise-Level Security - September 1, 2025
- Best Cold Email Software: Top 8 Platforms for Sales Teams - August 20, 2025