2024: The year of DMARC as a business imperative

I can say with confidence that the world does not need more security predictions for 2024. But as we head into the new year, it is important to have conversations about security strategy to inform our business priorities and our road maps. 

As I talk to our Red Sift customers, our partners, and the thought leaders of our technical advisory board, one thing is clear: more DMARC and domain authentication requirements are on the way, and they will be here soon. 

It’s easy for me to tout the benefits of DMARC: better deliverability, protection against BEC and phishing, the ability to deploy BIMI… the list goes on and on. 

But one thing that is becoming clear is in 2024, DMARC is no longer a nice to have. It will be a business imperative. 

What’s changing with DMARC in 2024?

As we head into 2024, there are already announced requirements for DMARC that most security leaders in the industry are at least aware of. They range from those from email providers like Google and Yahoo, to those from governments, to those from security rating and cyber insurance companies. 

Google and Yahoo requirements for bulk senders

The most notable 2024 requirement for DMARC is the joint requirement set from Google and Yahoo that applies to all organizations sending over 5,000 emails a day. To stop email from not being delivered as expected or being delivered as spam, organizations will need to: 

  1. Authenticate their domain. This requires at minimum a DMARC record with a policy of p=none, SPF and DKIM records, SPF or DKIM alignment and FCrDNS. 
  2. Make it easy for receivers to unsubscribe. Organizations that currently have an unsubscribe link in commercial email have until June 1, 2024 to implement one-click unsubscribe.
  3. Keep spam rates low. Organizations need to keep spam rates reported in Postmaster Tools below 0.3%.

In our research, we discovered that as of December 2023, at least 33% of large organizations globally will fail these requirements, with companies in Korea, Japan, Austria and Germany being particularly underprepared. 

Organizations that do not address this will see dwindling delivery rates and messages being sent to spam folders. For businesses that rely on email marketing to generate leads and revenue, the impacts of this could be monumental.

Use Red Sift’s Investigate tool to see if your DMARC, DKIM, SPF, and BIMI protocols are correctly set up and get actionable steps on how to fix them, if applicable.

Check your DMARC record and other key protocols now

At Red Sift, we see these requirements as foreshadowing to email providers requiring DMARC enforcement. By requiring DMARC, SPF and DKIM records and SPF or DKIM alignment, the providers are laying the groundwork for stricter DMARC enforcement policies. Organizations should be more aggressive in their DMARC configuration than is required come February 1, 2024, as their domains will also benefit from spoofing and impersonation protection by implementing stronger DMARC policies. 

CISA recommendations

In October of 2023, CISA (Cybersecurity & Infrastructure Security Agency) put forth new Phishing Guidance. This document was released in coordination with the NSA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to outline phishing techniques and provide guidance for defenders. 

In the guidance, the agency puts forth tailored recommendations to stop phishing attacks focused on obtaining login credentials and installing malware.

To mitigate these attacks, the agency recommends many baseline protections including enabling DMARC, SPF, and DKIM, and making sure that your DMARC enforcement is set to p=reject.

PCI DSS 4.0

On March 31, 2022, the PCI Security Standards Council (PCI SSC) released DSS v4.0. While these requirements for payment processors do not go into effect until March 31, 2025, the majority of organizations are using this year to make sure they are completely compliant. 

One of the new requirements in PCI DSS v4.0 is phishing protection. Req 5.4.1 requires “automated mechanisms” to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.

Security ratings requirements

While no formal updates for DMARC have been announced from the security ratings companies, we are hearing early feedback from our customers that DMARC is becoming a higher priority in the eyes of these entities.

For example, SecurityScorecard currently accounts for SPF configuration in its grading system. It is not inconceivable that they will soon be looking at DMARC and DKIM as part of their rating algorithm as well. 

Existing DMARC mandates

Everything we have covered so far is additive to the existing DMARC requirements and recommendations put forth by governing bodies around the globe. While the list is not exhaustive, it shows the global attention on protecting against phishing, business email compromise (BEC) and exact domain impersonation. 

Status
Affected Geography
Issuing body
Name
Description
Mandate type
Issuance/update date
Enforcement date
Learn More
Upcoming
Global
Google & Yahoo
New requirements for bulk senders
Those sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none.
Private sector mandate
October 3, 2023
February 1, 2024
Upcoming
Global
PCI DSS
PCI DSS v4.0 Req 5.4.1
“Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.
Compliance mandate
March 2022
March 31, 2025
Current
UK
GDS
Government Cybersecurity Policy Handbook Principle: B3 Data Security
Government departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard.
Mandate for government agencies
April 6, 2023
April 6, 2023
Current
United States
CISA
Binding Operational Directive 18-01: Enhance Email and Web Security
Requires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject.
Mandate for government agencies
October 16, 2017
September 20, 2018
Current
United States
NIST
NIST Special Publication 800-177Revision 1: Trustworthy email
Recommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email.
Guidance
February 2019

See the full list of mandates and recommendations for DMARC here.

Getting ready for changing DMARC requirements

Given that email remains the number one attack vector and business email compromise alone accounted for $2.7 billion in losses in 2022, it’s not surprising that we continue to see an increasing number of regulations, requirements, and recommendations for better email security. 

To see if your organization is prepared, make sure to check out Red Sift Investigate where you can see if your organization’s DMARC, SPF, DKIM, and other important email security protocols are set up correctly.

Check your DMARC record and other key protocols now

PUBLISHED BY

Rahul Powar

23 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Brand Protection

Separating signal from noise when fighting brand spoofing

Rahul Powar

“Alert fatigue” must be the most common malady among cybersecurity professionals. According to a recent survey, 56% of large companies handle 1,000+ alerts each day. For 70% of security professionals, the volume of alerts has doubled in the past few years, with more than 51% of campaigns involving some form of AI-generated brand spoofing.…

Read more
Research

49% of Big Pharma companies are vulnerable to email phishing as weaponized…

Rahul Powar

New analysis from Red Sift of the 100 largest pharma companies shows nearly half of the sector is still open to domain spoofing. Only 51% of companies are at DMARC enforcement (p=reject)—the control that stops spoofed email at the door. Another 13% sit at p=quarantine, which offers limited filtering but does not equal enforcement.…

Read more
News

Red Sift now offered through GuidePoint Security in new partnership

Rahul Powar

Organizations seeking to elevate their cybersecurity posture can now benefit from Red Sift’s advanced innovations, supported by GuidePoint Security’s expertise in aligning the right solutions to each customer’s needs. BOSTON & LONDON, 08:00 ET/ 13:00 BST, 10 September 2025 – Red Sift today announced a strategic reseller partnership with GuidePoint Security, the leading U.S.…

Read more
Awards

From Europe to Asia Pacific: OnDMARC earns global recognition in G2’s Fall…

Francesca Rünger-Field

G2’s Fall 2025 Report is out, and Red Sift OnDMARC continues to earn recognition across the globe. This quarter, we were featured in 19 reports, including a new appearance in the Asia Pacific Regional Grid® Report for DMARC, reinforcing our position as a trusted solution for securing email and protecting brands worldwide. We also…

Read more