Global mandates and guidance for DMARC 2024

For cybersecurity, email security and IT teams, understanding and adhering to global DMARC (Domain-based Message Authentication, Reporting, and Conformance) requirements is imperative. 

At Red Sift, we have put together a tabulated overview of DMARC mandates and guidance enforced across different regions worldwide. Our aim is to provide a clear, unambiguous guide that consolidates the varying global requirements into one accessible format. 

Whether you are an IT security professional, email administrator, or a compliance officer, this table will serve as an essential tool to ensure your organization’s email security aligns with international best practices and requirements.

Affected GeoNameDescriptionMandate typeLearn more
GlobalNew requirements for bulk sendersThose sending over 5,000 emails a day must authenticate email-sending domains with TLS, DKIM, SPF, DKIM, or SPF alignment and have a DMARC policy of p=none.Private sector mandateHere
GlobalPCI DDS v4.0 Req 5.4.1“Automated mechanisms” must be deployed to detect and protect against phishing attacks. Though this requirement is for “processes and mechanisms” and does not point to a specific solution, best practices would point to implementing DMARC, SPF, and DKIM.Compliance mandateHere
CanadaEmail Management Services Configuration RequirementsEnsure that the sender or recipient of government email can be verified using inbound mail using the Sender Policy Framework; Domain Keys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting and Conformance (DMARC)Mandate for government agenciesHere
DenmarkMinimum technical requirements for government authorities 2023All governmental agencies are required to implement a DMARC policy of p=reject on all domains.Mandate for government agenciesHere
New Zealand2022 New Zealand Information Security Manual, v3.6, section 15.2The future replacement for SEEMail will use DMARC and therefore vendors and agencies will need to be compliant. 1. Change of DMARC control compliance from SHOULD to MUST [CID:6019] [CID:6021] 2. Change of DMARC policy setting from p=”none” to p=”reject” [CID:6020] 3. Change of DKIM control compliance from SHOULD to MUST [CID:1797] [CID:1798]Mandate for government agenciesHere
IrelandPublic Sector Cyber Security Baseline Standards, section 2.9Public service bodies must implement TLS, SPF, DKIM, and enforce DMARC on all inbound mailMandate for government agenciesHere
Netherlands“Comply or Explain” standardsMandatory guidelines for government agencies require DKIM, SPF, and DMARC as well as STARTTLS and DANE.Mandate for government agenciesHere
Saudi ArabiaGuide to Essential Cybersecurity Controls (ECC) Implementation, section 2-4-3National organizations must implement all necessary measuresto analyze and filter email messages (specifically phishing emails and spam) using advanced and up-to-date email protection techniques. Recommended approachesinclude DKIM, SPF, and DMARC.Mandate for government agenciesHere
UKGovernment Cybersecurity Policy Handbook Principle: B3 Data SecurityGovernment departments shall have DMARC, DKIM, and SPF records in place for their domains. This shall be accompanied by the use of MTA-STS and TLS Reporting. This requirement originated from the 2018 Minimum Cybersecurity Standard.Mandate for government agenciesHere
UKSecuring government emailAll emails that public sector organizations run on the internet must encrypt and authenticate email by supporting TLS and DMARC at minimum.Mandate for government agenciesHere
UKUpdating our security guidelines for digital servicesAny service that runs on must have a published DMARC policy.Mandate for government agenciesHere
United StatesBinding Operational Directive 18-01: Enhance Email and Web SecurityRequires all federal agencies to bolster web security with STARTTLS, SPF, DKIM, and DMARC with a policy of p=reject.Mandate for government agenciesHere
AustraliaCybersecurity guidelines: Guidelines for EmailRecommends implementing SPF, DKIM, and DMARC with a policy of p=rejectGuidanceHere
AustraliaHow to combat fake emailsSuggests using SPF, DKIM, and DMARC to prevent domains from being used as the source of fake emailsGuidanceHere
AustraliaMalicious email mitigation strategiesRecommends the most effective methods of protecting organizations from email-borne attacks, and includes deploying DKIM, SPF, and DMARC with a “p=reject” policy.GuidanceHere
CanadaImplementation guidance: email domain protection (ITSP.40.065 v1.1)For complete protection against spoofing, organizations should implement SPF, DKIM, and DMARC.GuidanceHere
EUEmail communication security standardsRecommends using STARTTLS, SPF, DKIM, DMARC, and DANE to protect email communicationsGuidance
GermanyMeasures to defend against spam and phishing, Section 3.1Proposed measures to internet service providers that can be used to reduce the malware and spam problem SPF, DKIM and DMARC.GuidanceHere
Saudi ArabiaPhishing Campaigns for Emotet MalwareImplement Domain-Based Message Authentication, Reporting & Conformance (DMARC) to detect email spoofing using Domain Name System (DNS) records and digital signatures.GuidanceHere
ScotlandA Cyber Resilience Strategy for Scotland: Public Sector Action Plan 2017-2018, v2Public bodies should take advantage of DMARC anti-spoofingGuidanceHere
UKEmail security and anti-spoofing v2Make it difficult for fake emails to be sent from your organization’s domains using SPF, DKIM, and DMARC with a policy of at least p=none, including parked domains. Protect your email in transit with TLS.GuidanceHere
UKPhishing attacks: defending your organisation v1.1DMARC, SPF, and DKIM are Layer 1 defenses for stopping spoofed emails used to attack an organization.GuidanceHere
United StatesCIS Critical Security Controls v8.0, IG2-9.5Implement DMARC policy and verification, starting with Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.GuidanceHere
United StatesCISA INSIGHTSEnhance Email &Web SecurityEnable DKIM, SPF, and DMARC with a policy of p=reject.GuidanceHere
United StatesMulti-State Information Sharing and Analysis Center (MS-ISAC) Ransomware GuideTo lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification.GuidanceHere
United StatesNIST 800-53 Security Controls Catalog Revision 5: SI-08Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages. DMARC, SPF, and DKIM are one way to address this.GuidanceHere
United StatesNIST Special Publication 800-177Revision 1: Trustworthy emailRecommends implementing SPF, DKIM, and DMARC, among other controls to enhance trust in email.GuidanceHere

Where to go from here?

The landscape of email security and authentication is constantly evolving. 

At Red Sift, we understand the complexities involved in implementing and managing DMARC. Our award-winning Red Sift OnDMARC is designed to simplify the path to DMARC enforcement, offering you best-in-class technology and expertise.

Sign-up for a free 14-day trial today to be better protected from email security threats and ready to meet compliance mandates. 


Rebecca Warren

22 Jan. 2024



Recent Posts


Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more