DMARC is no longer just a best practice; it is now a requirement. Now, regulatory bodies across the world mandate the implementation of SPF, DKIM, and DMARC for safeguarding user and employee details. If you send bulk emails or work in finance, healthcare, government, or SaaS, you need DMARC, or else you will be subjected to penalties.
This blog provides a brief overview of the major global DMARC compliance requirements.
1. Google and Yahoo’s bulk email sender requirements
As per Google and Yahoo’s bulk email sender requirements (effective from February 2024), domains that send more than 5,000 emails a day to Gmail and Yahoo users must have SPF, DKIM, and DMARC in place. The DMARC policy should be set to at least p=none, and there should be an easy one-click ‘unsubscribe’ option.
2. PCI DSS v4.0
PCI DSS is short for Payment Card Industry Data Security Standard. It mandates that organizations handling cardholder data comply with some guidelines. While DMARC is not explicitly required in PCI DSS, it helps fulfill Rule 6, which emphasizes the importance of maintaining system security.
3. U.S. Federal Mandates (CISA – BOD 18-01)
Since October 2018, all U.S. federal agencies using .gov domains have been required by CISA to publish a DMARC record with a p=reject policy, along with properly setting up SPF and DKIM. This rule helps set the standard for email security across the public sector and pushes many other organizations to follow suit.
4. European Union — NIS2 Directive (2023–2024)
Since October 2024, European countries are expected to introduce national laws. These laws target critical sectors and digital infrastructure providers, encouraging them to practice basic cyber hygiene and deploy SPF, DKIM, and DMARC as part of the regime. There’s also a strong push from ENISA, the EU’s cybersecurity agency, to make these protections more common across the region.
5. HIPAA Compliance
Organizations that store and handle electronic protected health information are supposed to follow strong email security rules. HIPAA rules don’t explicitly mention the deployment of DMARC, but email authentication is one of the top email-security tools. To meet the requirements, healthcare providers must use a combination of SPF, DKIM, DMARC, BIMI, MTS-TLS, and other filters to prevent sensitive patient data from falling into the hands of malicious actors.
6. FFIEC Guidance
In the U.S. banking sector, regulators like the OCC, FDIC, Federal Reserve, and NCUA strongly recommend using email protections to prevent spoofing and fraud. While DMARC isn’t a strict requirement, the FFIEC (Federal Financial Institutions Examination Council) clearly suggests using SPF, DKIM, and DMARC as part of its cybersecurity assessment tools. These protections help banks and financial institutions secure their email communication and reduce the risk of phishing attacks.
7. ICANN
ICANN is the global body that is responsible for overseeing domain names and internet safety. It highly encourages domain owners to use DMARC to prevent impersonation, phishing, and spoofing, especially for parked or unused domains.
ICANN also requires domain registrars to assist their customers in setting stricter DMARC policies, such as p=quarantine or p=reject, for optimal protection.
