Global Mandates and Guidance for DMARC in 2025
By Patronum
April 07, 2025
Read Time: 5 mins
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is one of the most effective tools available for addressing email-based threats. DMARC works alongside Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate messages, ensuring that only authorised sources can send email on behalf of a domain. DMARC provides domain owners with the ability to monitor, quarantine, or reject unauthorised emails, thereby mitigating the risks of phishing and spoofing attacks.
Despite these security measures in place, Email remains one of the most commonly exploited vectors for cyberattacks. Phishing campaigns, email spoofing, and Business Email Compromise (BEC) continue to impact organisations of all sizes. Email remains a critical channel for threat actors to infiltrate systems and manipulate users. For cybersecurity, email security, and IT professionals, strengthening email infrastructure and implementing robust authentication mechanisms is not only a best practice but a foundational component of a comprehensive cybersecurity strategy.
Understanding DMARC is only the beginning. Implementing and maintaining compliance is a dynamic and often complex challenge, particularly when considering the diverse mandates and guidelines issued by governments, regulatory bodies, and industry groups around the world. Email security is no longer viewed as an optional enhancement. In many jurisdictions, it has become a compliance requirement, particularly for public sector agencies and critical infrastructure providers.
To provide clarity on this rapidly evolving regulatory environment, Patronum has created a comprehensive and easy-to-navigate table summarising global DMARC mandates and guidance. This resource is designed to support IT security professionals, email administrators, and compliance officers by consolidating relevant policies into a single reference point. With this tool, stakeholders can ensure alignment with both regional regulations and international best practices.
Having a centralised overview is crucial. Not only does it help organisations reduce the risk of email-based attacks, but it also provides a framework for achieving and maintaining compliance. As global regulations continue to tighten, staying up to date with these requirements is essential to avoid penalties, preserve operational integrity, and protect brand reputation.
The following table outlines current DMARC mandates and guidance from across the globe, offering a snapshot of the current regulatory environment:
Global DMARC mandates and guidance
| Affected Geo | Name | Description | Mandate type | Learn more |
| Global | New requirements for bulk senders | Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none. | Private sector mandate | Here |
| Global | PCI DDS v4.0 Req 5.4.1 | “Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM. | Compliance mandate | Here |
| Canada | Email Management Services Configuration Requirements | Ensure that the sender or recipient of government email can be verified using inbound mail using the Sender Policy Framework; Domain Keys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting and Conformance (DMARC). | Mandate for government agencies | Here |
| Denmark | Minimum technical requirements for government authorities 2023 | All governmental agencies are required to implement a DMARC policy of p=reject on all domains. | Mandate for government agencies | Here |
| New Zealand | 2022 New Zealand Information Security Manual, v3.6, section 15.2 | The future replacement for SEEMail will use DMARC and therefore vendors and agencies will need to be compliant. 1. Change of DMARC control compliance from SHOULD to MUST [CID:6019] [CID:6021] 2. Change of DMARC policy setting from p=”none” to p=”reject” [CID:6020] 3. Change of DKIM control compliance from SHOULD to MUST [CID:1797] [CID:1798] | Mandate for government agencies | Here |
| Ireland | Public Sector Cyber Security Baseline Standards, section 2.9 | Public service bodies must implement TLS, SPF, DKIM, and enforce DMARC on all inbound mail. | Mandate for government agencies | Here |
| Netherlands | “Comply or Explain” standards | Mandatory guidelines for government agencies require DKIM, SPF, and DMARC as well as STARTTLS and DANE. | Mandate for government agencies | Here |
| Saudi Arabia | Guide to Essential Cybersecurity Controls (ECC) Implementation, section 2-4-3 | National organizations must implement all necessary measuresto analyze and filter email messages (specifically phishing emails and spam) using advanced and up-to-date email protection techniques. Recommended approachesinclude DKIM, SPF, and DMARC. | Mandate for government agencies | Here |
| UK | Government Cybersecurity Policy Handbook Principle: B3 Data Security | Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard. | Mandate for government agencies | Here |
| UK | Securing government email | All emails that public sector organizations run on the internet must encrypt and authenticate email by supporting TLS and DMARC at minimum. | Mandate for government agencies | Here |
| UK | Updating our security guidelines for digital services | Any service that runs on service.gov.uk must have a published DMARC policy. | Mandate for government agencies | Here |
| United States | Binding Operational Directive 18-01: Enhance Email and Web Security | Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject. | Mandate for government agencies | Here |
| Australia | Cybersecurity guidelines: Guidelines for Email | Recommends implementing SPF, DKIM, and DMARC with a policy of p=reject | Guidance | Here |
| Australia | How to combat fake emails | Suggests using SPF, DKIM, and DMARC to prevent domains from being used as the source of fake emails. | Guidance | Here |
| Australia | Malicious email mitigation strategies | Recommends the most effective methods of protecting organizations from email-borne attacks, and includes deploying DKIM, SPF, and DMARC with a “p=reject” policy. | Guidance | Here |
| Canada | Implementation guidance: email domain protection (ITSP.40.065 v1.1) | For complete protection against spoofing, organizations should implement SPF, DKIM, and DMARC. | Guidance | Here |
| EU | Email communication security standards | Recommends using STARTTLS, SPF, DKIM, DMARC, and DANE to protect email communications. | Guidance | Here |
| Germany | Measures to defend against spam and phishing, Section 3.1 | Proposed measures to internet service providers that can be used to reduce the malware and spam problem SPF, DKIM and DMARC. | Guidance | Here |
| Saudi Arabia | Phishing Campaigns for Emotet Malware | Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC) to detect email spoofing using Domain Name System (DNS) records and digital signatures. | Guidance | Here |
| Scotland | A Cyber Resilience Strategy for Scotland: Public Sector Action Plan 2017-2018, v2 | Public bodies should take advantage of DMARC anti-spoofing. | Guidance | Here |
| UK | Email security and anti-spoofing v2 | Make it difficult for fake emails to be sent from your organization’s domains using SPF, DKIM, and DMARC with a policy of at least p=none, including parked domains. Protect your email in transit with TLS. | Guidance | Here |
| UK | Phishing attacks: defending your organisation v1.1 | DMARC, SPF, and DKIM are Layer 1 defenses for stopping spoofed emails used to attack an organization. | Guidance | Here |
| United States | CIS Critical Security Controls v8.0, IG2-9.5 | Implement DMARC policy and verification, starting with Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. | Guidance | Here |
| United States | CISA INSIGHTS Enhance Email &Web Security | Enable DKIM, SPF, and DMARC with a policy of p=reject. | Guidance | Here |
| United States | Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware Guide | To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification. | Guidance | Here |
| United States | NIST 800-53 Security Controls Catalog Revision 5: SI-08 | Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages. DMARC, SPF, and DKIM are one way to address this. | Guidance | Here |
| United States | NIST Special Publication 800-177Revision 1: Trustworthy email | Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email. | Guidance | Here |
Implementing DMARC: The Way Forward
In an increasingly regulated environment, organisations cannot afford to overlook email authentication. With many governments establishing strict requirements for DMARC, DKIM, and SPF, proactive adoption is essential for risk mitigation and regulatory compliance. Cybersecurity is not a static discipline, and email security protocols must evolve in response to new threats and changing regulatory landscapes.
By leveraging Patronum’s comprehensive DMARC compliance table, professionals gain an authoritative source for navigating regional and sector-specific requirements. This helps eliminate ambiguity and facilitates the implementation of scalable, future-proof email security strategies.
Ultimately, safeguarding email communication is about more than just avoiding penalties. It is about maintaining trust with customers, partners, and stakeholders. Patronum offers the tools and expertise to help organisations deploy and manage DMARC effectively. Click here to discover how Patronum can assist with DMARC setup, configuration, reporting, and ongoing compliance.
With cyber threats continuing to rise, taking decisive action to protect your email infrastructure is no longer optional. It is a strategic imperative.