DMARC Compliance: Requirements, Standards, and How to Get There

DMARC compliance has moved from "nice to have" to "required" for many organizations. Major email providers now demand it, industry standards mandate it, and failing to comply can mean blocked email or failed audits.

Here's what DMARC compliance means and how to achieve it.

What Is DMARC Compliance?

DMARC compliance means your domain has a valid DMARC record and your emails consistently pass DMARC checks. Depending on the context, it may also mean:

• Having a policy stronger than p=none
• Reaching enforcement level (p=quarantine or p=reject)
• Meeting specific requirements from email providers or industry standards

The baseline is having a DMARC record published. Full compliance typically means reaching p=reject for maximum protection.

Email Provider Requirements

Google Requirements

Google requires DMARC for anyone sending more than 5,000 emails per day to Gmail addresses:

Requirements:

• SPF and DKIM authentication for all sending domains
• DMARC record with at least p=none
• Alignment between From header and authenticated domain
• One-click unsubscribe for marketing emails
• Spam rate below 0.3%

Enforcement: Emails from non-compliant senders may be blocked or sent to spam.

Yahoo Requirements

Yahoo has similar requirements:

Requirements:

• SPF and DKIM authentication
• DMARC record published
• Valid From header matching authenticated domain
• Easy unsubscribe mechanism

Enforcement: Non-compliant bulk email may be rejected.

Microsoft Requirements

Microsoft recommends but doesn't strictly require DMARC:

• SPF and DKIM strongly recommended
• DMARC helps improve reputation and deliverability
• Bulk senders should have authentication in place

Industry Standards and Frameworks

PCI DSS

The Payment Card Industry Data Security Standard recommends email authentication for organizations handling payment data:

• DMARC helps prevent phishing targeting cardholders
• Demonstrates security best practices
• May be reviewed during compliance assessments

HIPAA

While HIPAA doesn't explicitly require DMARC, covered entities should implement it:

• Protects against impersonation of healthcare communications
• Supports the Security Rule's administrative safeguards
• Demonstrates due diligence for protected health information

SOC 2

SOC 2 audits often examine email security controls:

• DMARC may be reviewed as part of security practices
• Demonstrates protection against social engineering
• Shows commitment to security monitoring (via reports)

NIST Cybersecurity Framework

NIST recommends email authentication as part of identity management and protective technologies:

• SPF, DKIM, and DMARC are recommended controls
• Supports the "Protect" function of the framework
• Helps meet identity and access management objectives

Government Requirements

Many government agencies require DMARC:

US Federal: BOD 18-01 required federal agencies to implement DMARC with p=reject.

UK: Public sector organizations should have DMARC at enforcement level.

Australia: ASD Essential Eight recommends DMARC implementation.

The Path to Compliance

Level 1: Basic Compliance

Publish a DMARC record with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This meets the minimum requirement for Google/Yahoo and establishes baseline visibility.

Checklist:

• [ ] SPF record published with all sending IPs
• [ ] DKIM configured for all email-sending services
• [ ] DMARC record published at _dmarc.domain.com
• [ ] Reporting address receiving aggregate reports

Level 2: Quarantine Enforcement

Move to quarantine policy after monitoring:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Failing emails go to spam instead of inbox.

Checklist:

• [ ] Reviewed DMARC reports for 2-4 weeks
• [ ] Fixed all authentication issues for legitimate email
• [ ] Verified all email sources pass SPF or DKIM with alignment
• [ ] Updated policy to p=quarantine

Level 3: Full Enforcement

Move to reject policy for complete protection:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com

Failing emails are blocked entirely.

Checklist:

• [ ] Ran quarantine without legitimate email issues
• [ ] Verified all business-critical email authenticates correctly
• [ ] Updated policy to p=reject
• [ ] Set subdomain policy to sp=reject
• [ ] Ongoing monitoring in place

Common Compliance Blockers

Third-Party Services

Services sending email as your domain need proper configuration:

• Email marketing platforms (Mailchimp, SendGrid, Constant Contact)
• CRM systems (Salesforce, HubSpot)
• Support systems (Zendesk, Freshdesk)
• Transactional email (order confirmations, password resets)

Each service needs:

• IP addresses added to SPF (or using authorized relay)
• DKIM signing with your domain configured
• Custom return-path if available

Legacy Systems

Older email systems may not support modern authentication:

• On-premises mail servers may need DKIM configuration
• Legacy applications may not sign email properly
• Old distribution lists may forward without proper headers

Solutions:

• Upgrade to modern email infrastructure
• Route through authenticated relay services
• Replace legacy sending with modern alternatives

Subdomain Coverage

Don't forget subdomains:

• Marketing subdomains (mail.example.com, news.example.com)
• Application subdomains (app.example.com, api.example.com)
• Regional or product subdomains

Either configure authentication for each, or set sp=reject to block email from subdomains that shouldn't send.

Compliance Monitoring

Achieving compliance isn't the end. You need ongoing monitoring:

Regular report review: Check aggregate reports weekly for new sources or failures.

Alert on changes: Get notified when DNS records change unexpectedly.

Periodic verification: Test email from all sources quarterly.

Documentation: Maintain records of your authentication configuration.

Compliance Checklist

Use this checklist to assess your DMARC compliance:

Email Authentication:

• [ ] SPF record published and valid
• [ ] All sending IPs included in SPF
• [ ] DKIM configured for all email services
• [ ] DKIM keys published in DNS

DMARC Configuration:

• [ ] DMARC record published at _dmarc.domain.com
• [ ] Valid syntax (starts with v=DMARC1)
• [ ] Policy set (p=none at minimum, p=reject for full compliance)
• [ ] Report address configured (rua=)

Operational:

• [ ] All legitimate email passing DMARC
• [ ] No authentication failures in reports
• [ ] Subdomain policy configured (sp=)
• [ ] Monitoring and alerting in place

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.