---
title: "The point where DORA and DMARC intersect | AutoSPF"
description: "DORA (Digital Operational Resilience Act) is a Europe-based framework explicitly designed to establish regulatory compliance for the finance sector."
image: "https://autospf.com/og/blog/the-point-where-dora-and-dmarc-intersect.png"
canonical: "https://autospf.com/blog/the-point-where-dora-and-dmarc-intersect/"
---

Quick Answer

DORA (Digital Operational Resilience Act) is a Europe-based framework explicitly designed to establish regulatory compliance for the finance sector. This act has been in force since January 2025\. Though DORA and DMARC are not directly linked with each other, DMARC helps in DORA compliance by improving the email security posture.

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fthe-point-where-dora-and-dmarc-intersect%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20point%20where%20DORA%20and%20DMARC%20intersect&url=https%3A%2F%2Fautospf.com%2Fblog%2Fthe-point-where-dora-and-dmarc-intersect%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fthe-point-where-dora-and-dmarc-intersect%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fthe-point-where-dora-and-dmarc-intersect%2F&title=The%20point%20where%20DORA%20and%20DMARC%20intersect "Share on Reddit") [ ](mailto:?subject=The%20point%20where%20DORA%20and%20DMARC%20intersect&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fthe-point-where-dora-and-dmarc-intersect%2F "Share via Email") 

![DORA and DMARC intersect](https://media.mailhop.org/autospf/images/2025/01/spf-record-tester-8258.jpg) 

DORA (Digital Operational Resilience Act) is a Europe-based framework explicitly designed to establish regulatory compliance for the finance sector. This act has been in force since January 2025\. Though DORA and DMARC are not directly linked with each other, DMARC helps in DORA compliance by improving the [email security](/) posture. 

_DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users._

For a complete overview, see our [comprehensive DMARC guide](/blog/what-is-dmarc-email-authentication-guide/).

DMARC is an email authentication protocol that empowers domain owners to instruct receiving mail servers on how to treat [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) sent from their domains. It helps reduce instances of phishing and spoofing.

## The 7 chapters of DORA

[DORA](https://www.ibm.com/think/topics/digital-operational-resilience-act) compliance is roughly broken down into seven chapters that help finance companies against Information Communication Technologies-related risk management, incident reporting, and operational resilience. 

### 1\. Subject matter, scope, and definitions

This chapter is all about knowing the purpose and scope of DORA. _This primarily includes which kinds of entities, such as banks, investment firms, and insurance companies, are meant to be compliant with DORA_.

### 2\. ICT risk management

[ICT risk management](https://www.upguard.com/blog/it-risk-management) focuses on taking care of business continuity and establishing a proper, well-detailed [incident response](https://www.fortinet.com/resources/cyberglossary/incident-response) procedure. 

### 3\. ICT-related incident reporting

In this, obligations for reporting important ICT-related incidents are set. _It explains how to report such incidents to competent authorities while also offering a way to determine the significance of the incident_.

### 4\. Digital operational resilience testing

The testing phase is all about ensuring that ICT systems are capable of handling and recovering from disruptions. This includes determining vulnerabilities, conducting penetration tests, and performing advanced [threat-led penetration testing](https://www.secureideas.com/knowledge/what-is-a-threat-led-penetration-test) for critical systems.

### 5\. Management of ICT third-party risk

_This DORA chapter covers the risks of outsourcing ICT services_. Financial firms must ensure [third-party](https://www.investopedia.com/terms/t/third-party.asp) providers meet regulations and include these standards in contracts.

### 6\. Information sharing arrangements

This chapter encourages you to foster cooperation and improve the overall [cybersecurity](/blog/8-cybersecurity-trends-that-will-redefine-the-digital-landscape-in-2024/) situation of the entire financial sector.

![cyber security](https://media.mailhop.org/autospf/images/2025/01/spf-validator-5236.jpg) 

### 7\. Competent authorities and oversight framework

It defines the authority of regulators, allowing them to investigate, enforce fines, and implement corrective measures.

## How do the DORA chapters intersect DMARC?

Here’s how each chapter is linked with [DMARC](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/) and how these two come together to combat email-based menaces-

### The second chapter

DMARC has a reporting mechanism that helps domain owners and administrators monitor email activities and detect unauthorized use of their domain for [phishing and spoofing](https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html).

DMARC’s reporting mechanism provides domain owners with two types of reports:

1. Aggregate reports (RUA): Summarize [email authentication](/spf-too-many-dns-lookups/spf-lookup/) results across a period, showing sources sending emails on behalf of the domain.
2. Forensic reports (RUF): Provide detailed failure reports for individual emails that fail DMARC authentication.

### The third chapter

It’s common for [threat actors](https://www.nbcnews.com/tech/security/us-treasury-says-computers-hacked-chinese-threat-actor-rcna185809) to exploit domain vulnerabilities and send emails on behalf of brands. They manipulate targets into [sharing sensitive details](https://www.csoonline.com/article/574799/sharing-sensitive-business-data-with-chatgpt-could-be-risky.html), downloading [malware-infected files](https://www.securityweek.com/185-million-websites-infected-malware-any-time/), transferring money, etc. However, if your domain is protected with DMARC, such emails will either be [marked as spam](https://pressgazette.co.uk/publishers/digital-journalism/facebook-spam-posts-independent-small-news-publishers/) or never reach the recipients’ inboxes. 

![malware-infected files,](https://media.mailhop.org/autospf/images/2025/01/spf-permerror-5.jpg) 

### The fourth chapter

DMARC users can identify and address [fraudulent emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/), helping to develop a robust cybersecurity strategy for financial organizations.

### The fifth chapter

Setting p=quarantine or p=reject in your DMARC record ensures fraudulent emails are not getting placed in the primary inboxes of recipients. This way, the targets are less likely to engage with [malicious emails](https://www.securitymagazine.com/articles/100687-the-last-six-months-shows-a-341-increase-in-malicious-emails) and fall in the trap. 

### The sixth chapter

Implementing DMARC on all active and parked domains provides complete email protection, preventing phishing, spoofing, and [ransomware attacks](https://www.voanews.com/a/ransomware-attacks-death-threats-endangered-patients-and-millions-of-dollars-in-damages/7520952.html).

## Topics

[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Advanced 8m  What is the ‘554 5.7.5’ permanent error in DMARC and how to fix it?  Jul 9, 2024 ](/blog/554-5-7-5-permanent-error-in-dmarc-and-how-to-fix-it/)[  Advanced 6m  8 cybersecurity trends that will redefine the digital landscape in 2024  Sep 20, 2024 ](/blog/8-cybersecurity-trends-that-will-redefine-the-digital-landscape-in-2024/)[  Advanced 17m  AI-Powered Phishing in 2026: How Generative AI Changed the Attacker Economics of Email Why Email Authentication Is the Last Reliable Defense Signal in the Age of AI  May 4, 2026 ](/blog/ai-powered-phishing-2026-email-authentication-last-ai-defense-signal/)[  Advanced 10m  AutoSPF’s Guide to Configuring SPF & DKIM for Avanan: A Detailed Walk-through  Nov 26, 2025 ](/blog/autospf-guide-configuring-spf-dkim-for-avanan-detailed-setup-walkthrough/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"The point where DORA and DMARC intersect","description":"DORA (Digital Operational Resilience Act) is a Europe-based framework explicitly designed to establish regulatory compliance for the finance sector.","url":"https://autospf.com/blog/the-point-where-dora-and-dmarc-intersect/","datePublished":"2025-01-29T18:53:36.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-01-29T18:53:36.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/the-point-where-dora-and-dmarc-intersect/"},"articleSection":"advanced","keywords":"DMARC, email security","wordCount":635,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/01/spf-record-tester-8258.jpg","caption":"DORA and DMARC intersect","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Advanced","item":"https://autospf.com/advanced/"},{"@type":"ListItem","position":4,"name":"The point where DORA and DMARC intersect","item":"https://autospf.com/blog/the-point-where-dora-and-dmarc-intersect/"}]}
```