email authentication

Decoding the ubiquity of email authentication: DMARC regulations from across the world

Decoding the ubiquity of email authentication: DMARC regulations from across the world
Decoding the ubiquity of email authentication: DMARC regulations from across the world
/

Email-based attacks are prevalent, which means that tools and strategies to protect email ecosystems are also widely available. 

Despite being one of the most preferred and reliable channels of communication, email lacks one important thing: a native security feature that goes beyond cursory checks. We don’t mean spam filters or inbox firewalls. We mean more reliable tools to verify the legitimacy and authenticity of the sender and the email. That’s where email authentication protocols come in.

Protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) patch the gaps left by how email was originally designed—open, flexible, but without built-in mechanisms to confirm who is really sending a message.

It works by verifying if an email sent from your domain is legitimate and allows you to instruct email providers on how to handle suspicious emails: either allow them, send them to spam, or block them completely.

DMARC is used all over the world, but how it’s used depends on where you are. Some countries make it mandatory for government departments, while others just recommend it. In many cases, it’s big email platforms like Google and Yahoo, not governments, that are pushing organizations to follow DMARC rules.

Let’s see what DMARC regulations from across the world look like: 

protect your email domain

What is DMARC?

DMARC is a security protocol that helps protect your email domain from being misused, basically by stopping others from sending fake emails that look like they’re from you. It works by checking whether an incoming email is actually allowed to use your domain name. To do this, it builds on two other tools, SPF and DKIM, which help verify if a message is coming from a trusted source and hasn’t been altered along the way.

If something doesn’t look right, DMARC lets you decide what should happen next: you can allow the message, send it to spam, or block it completely. It also provides you with regular reports, allowing you to see who is sending emails using your domain and whether those messages are passing or failing the checks. In short, DMARC helps protect your name, brand, and users from email-based fraud.

Why aren’t the rules the same everywhere?

Yes, DMARC is a global standard, recommended by key email service providers and adopted by all major companies, but the way it is adopted varies across the world. Particularly, on the policy level. 

Each country has its own norms regarding digital governance and cybersecurity priorities, which means the way these protocols are perceived and implemented also varies. Some have strict rules that make DMARC mandatory for all government departments. Others just suggest it as a good practice and leave the decision to individual agencies.

Let’s take a deeper look at the factors that impact DMARC rules across the world:

email security

Each country has a different threat perception 

Yes, we said earlier that email-based attacks are everywhere, but that doesn’t mean the threat landscape is homogeneous. For some countries, phishing emails sent to government bodies or public services are a thing of concern. These attacks have caused enough trouble to make email security a high priority. But for others, the risk might be on their radar, just not at the top of the list.

This could be because they haven’t faced a serious incident yet, or the attacks haven’t come to the surface. In such cases, email authentication and DMARC adoption are seen as an option, rather than a mandatory practice.

Not all governments monitor emails in the same way

The way the government handles emails also changes the way DMARC is rolled out in each country.

In some places, things are more organized with a centralized setup or a particular department that oversees all the official email activity. But in others, each department or agency handles its own email setup. They might use different systems, providers, or rules. No one is really keeping track of who is using what. This shows that we’re not on the same page as everyone else, not even within the same country sometimes.  So you really can’t compare DMARC adoption in different countries.

DMARC adoption

The technical capabilities are different 

DMARC implementation is already tricky; what’s trickier is getting it done across the board.

For some countries, technical challenges are the real barrier. Since for them, cybersecurity isn’t a priority, they don’t have the same tools, capabilities, and resources as some of the more proactive countries. 

The latter ones: countries that do take cybersecurity seriously usually have stronger infrastructure, better-trained teams, and dedicated systems in place to manage things like DMARC. They’re able to roll it out more quickly and monitor it properly.

Sometimes, platforms have more authority than the governments

In a lot of cases, it’s not the government telling people to use DMARC, it’s the big email providers like Google and Yahoo.

Let’s say you’re a company that sends a lot of emails. If you don’t have DMARC set up, Google might start sending your emails to spam or block them completely. Even if there’s no law in your country requiring you to use DMARC, you’ll still need to do so, just to ensure your emails reach the intended recipients.

DMARC set up

What does DMARC adoption look like for different countries?

Now that we know DMARC adoption is not the same for every nation, let’s see how different countries and sectors perceive DMARC: 

The United States

In the U.S., DMARC rules depend on where you are and who you’re working with. At the federal level, all government agencies must use DMARC with a strict policy, along with SPF, DKIM, and STARTTLS. California also follows this, making DMARC mandatory for its state departments.

But in most other states, it’s not enforced; it’s just recommended. The same goes for industries like healthcare and finance

strict policy

But for many other states, DMARC is only recommended; it’s a good-to-follow practice, but not really mandatory. In sectors like healthcare and finance, DMARC is encouraged too. It shows up in laws like HIPAA and GLBA, but again, it’s not required. So, unless you’re working directly with the federal government or in a state like California, DMARC is more of a strong suggestion than a rule.

United Kingdom

In the UK, DMARC isn’t optional for government departments. If your agency sends out bulk emails, you’re expected to follow certain rules, like using TLS for encryption and setting up DMARC to protect official communications. The same goes for the healthcare industry, so if your organization is under the NHS (National Health Service), you must use email systems that support DMARC.

But things are fairly flexible for private companies. There’s no specific DMARC law, but since the UK follows GDPR, protecting personal data is a legal requirement, and using DMARC helps with that. Moreover, in the UK, ESPs like Google and Yahoo have mandated DMARC for bulk senders, so implementation is not really an option anymore

GDPR

France

In France, the government doesn’t strictly enforce DMARC, but it does recommend it. Official guidance recommends that email administrators set up SPF, DKIM, and DMARC to enhance email security. So it’s on the “should do” list, not the “must do” list.

There aren’t any special rules for sectors like healthcare or finance when it comes to DMARC either. But like in most other places, GDPR still applies, so protecting personal data is important, and DMARC can help with that.

Saudi Arabia

Saudi Arabia is stricter than most countries when it comes to email security. There, email authentication is not an option but a norm. Under the Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority, companies must establish robust email protections, including SPF, DKIM, and DMARC. This is particularly relevant for government agencies and critical sectors, where email attacks could compromise national security or public services.

cybersecurity

Additionally, in Saudi Arabia, DMARC adoption isn’t led by the private sector, but rather by a more policy-driven and centralized system that mandates action from the top.

South Africa

South Africa doesn’t have a law that says you must use DMARC, but it does expect companies to protect people’s personal information as a part of the Personal Information Act (POPIA). Although the act does not specify DMARC directly, it asks organizations to take “reasonable steps” to stop data from being leaked or misused.

The broader picture 

DMARC rules may not be the same everywhere, but one thing is certain—cyber attackers don’t care where you are. If you use email, you’re already under their radar. So, if you really want to protect yourself and your organization from email-based attacks like phishing, spoofing, malware, and more, you need to set up DMARC

cyber attackers

But just setting it up isn’t enough. DMARC also helps you keep an eye on what’s happening. It sends regular reports that show who is using your domain, if emails are passing the checks, and if anything looks suspicious. This way, you’re not just blocking bad emails, but also staying one step ahead by learning from what’s going on.

Want to know how you can leverage DMARC reports to protect your domain? Our team at DMARCReport is here to help! Get in touch with us to learn how.

Similar Posts