---
title: "Decoding the ubiquity of email authentication: DMARC regulations from across the world | DMARC Report"
description: "Decoding the ubiquity of email authentication: DMARC regulations from across the world from DMARC Report explains practical steps for email authentication."
image: "https://dmarcreport.com/og/blog/decoding-global-dmarc-regulations-email-authentication-around-the-world.png"
canonical: "https://dmarcreport.com/blog/decoding-global-dmarc-regulations-email-authentication-around-the-world/"
---
Quick Answer
The three core email authentication standards - SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdecoding-global-dmarc-regulations-email-authentication-around-the-world%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Decoding%20the%20ubiquity%20of%20email%20authentication%3A%20DMARC%20regulations%20from%20across%20the%20world&url=undefined%2Fblog%2Fdecoding-global-dmarc-regulations-email-authentication-around-the-world%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdecoding-global-dmarc-regulations-email-authentication-around-the-world%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdecoding-global-dmarc-regulations-email-authentication-around-the-world%2F&title=Decoding%20the%20ubiquity%20of%20email%20authentication%3A%20DMARC%20regulations%20from%20across%20the%20world "Share on Reddit") [ ](mailto:?subject=Decoding%20the%20ubiquity%20of%20email%20authentication%3A%20DMARC%20regulations%20from%20across%20the%20world&body=Check out this article: undefined%2Fblog%2Fdecoding-global-dmarc-regulations-email-authentication-around-the-world%2F "Share via Email")
## Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
[ Check DMARC Record → ](/tools/dmarc-checker/)
> Compliance is driving a lot of the DMARC adoption we see, says Vasile Diaconu, Operations Lead at DuoCircle. PCI DSS v4.0, Google’s sender requirements, Microsoft’s May 2025 enforcement - our support team fields questions about these mandates daily. The organizations that moved early are already at p=reject. The rest are scrambling.
The three core email authentication standards - SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)), DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)), and DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report
Decoding the ubiquity of email authentication: DMARC regulations from across the world
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-29145” readonly/>
```
```
Email-based attacks are prevalent, which means that tools and strategies to \*\*protect email ecosystems are also widely available.
Despite being one of the most preferred and reliable channels of communication, email lacks one important thing: a native security feature that goes beyond cursory checks. We don’t mean [spam filters](https://www.bleepingcomputer.com/news/security/ongoing-phishing-attack-abuses-google-calendar-to-bypass-spam-filters/) or inbox firewalls. We mean more reliable tools to verify the legitimacy and authenticity of the sender and the email. That’s where [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) protocols come in.
Protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) patch the gaps left by how email was originally designed\*\* - open, flexible, but without built-in mechanisms to confirm who is really sending a message.
_It works by verifying if an email sent from your domain is legitimate and allows you to instruct email providers on how to handle suspicious emails: either allow them, send them to spam, or block them completely_.
DMARC is used all over the world, but how it’s used depends on where you are. Some countries make it mandatory for government departments, while others just recommend it. In many cases, it’s big \*\*email platforms like [Google and Yahoo](https://dmarcreport.com/blog/google-and-yahoos-new-email-authentication-policy-for-2024/), not governments, that are pushing organizations to follow DMARC rules.
Let’s see what \*\*DMARC regulations from across the world look like:
## **What is DMARC?** DMARC is a \*\*security protocol \*\*that helps
protect your email domain from being misused, basically by stopping others from sending [fake emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) that look like they’re from you. It works by checking whether an incoming email is actually allowed to use your domain name. To do this, it builds on two other tools, [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) and [DKIM](https://dmarcreport.com/what-is-dkim/), which help verify if a message is coming from a trusted source and hasn’t been altered along the way.
_If something doesn’t look right, DMARC lets you decide what should happen next: you can allow the message, send it to spam, or block it completely_. It also provides you with regular reports, allowing you to see who is sending emails using your domain and whether those messages are passing or failing the checks. In short, **DMARC helps protect your name**, brand, and users from email-based fraud.
## **Why aren’t the rules the same everywhere?** Yes, DMARC is a global standard, recommended by key [email service providers](https://www.icontact.com/define/email-service-provider/) and adopted by all major companies, but the way it is adopted varies across the world. Particularly, on the policy level.
Each country has its own norms regarding digital governance and cybersecurity priorities, which means the way these protocols are perceived and implemented also varies. Some have strict rules that make \*\*DMARC mandatory for all government departments. Others just suggest it as a good practice and leave the decision to individual agencies.
Let’s take a deeper look at the factors that impact DMARC rules across the world:
### \*\*Each country has a different threat perception Yes, we said earlier that [email-based attacks](https://www.darkreading.com/cyber-risk/email-based-attacks-cyber-insurance-claims) are everywhere, but that doesn’t mean the threat landscape is homogeneous. For some countries, [phishing emails](https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html) sent to government bodies or \*\*public services are a thing of concern. These attacks have caused enough trouble to make [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) a high priority. But for others, the risk might be on their radar, just not at the top of the list.
This could be because they haven’t faced a serious incident yet, or the attacks haven’t come to the surface. _In such cases, email authentication and DMARC adoption are seen as an option, rather than a mandatory practice_.
### \*\*Not all governments monitor emails in the same way The way the government handles emails also changes the way DMARC is rolled out in each country.
In some places, things are more organized with a \*\*centralized setup or a particular department that oversees all the official email activity . But in others, each department or agency handles its own email setup. They might use different systems, providers, or rules. No one is really keeping track of who is using what. This shows that we’re not on the same page as everyone else, not even within the same country sometimes. So you really can’t compare [DMARC adoption](https://dmarcreport.com/blog/why-you-should-take-dmarc-adoption-seriously/) in different countries.
### \*\*The technical capabilities are different DMARC implementation is already tricky; what’s trickier is getting it done across the board.
For some countries, \*\*technical challenges are the real barrier. Since for them, [cybersecurity](https://dmarcreport.com/blog/how-to-educate-or-train-employees-on-cybersecurity/) isn’t a priority, they don’t have the same tools, capabilities, and resources as some of the more proactive countries.
_The latter ones: countries that do take cybersecurity seriously usually have stronger infrastructure, better-trained teams, and dedicated systems in place to manage things like DMARC_. They’re able to roll it out more quickly and monitor it properly.
### \*\*Sometimes, platforms have more authority than the governments In a lot of cases, it’s not the government telling people to use DMARC, it’s the big email providers like Google and Yahoo.
Let’s say you’re a company that sends a lot of emails. If you don’t have DMARC set up, Google might start sending your emails to spam or block them completely. Even if there’s no law in your country requiring you to use DMARC, you’ll still need to do so, just to \*\*ensure your emails reach the intended recipients.
## **What does DMARC adoption look like for different countries?** Now that we know DMARC adoption is not the same for every nation, let’s see how different countries and sectors perceive DMARC:
### \*\*The United States In the U.S., DMARC rules depend on where you are and who you’re working with. At the federal level, all government agencies must use DMARC with a **strict policy**, along with SPF, DKIM, and [STARTTLS](https://www.ibm.com/docs/en/zos/2.4.0?topic=set-starttls-command-indicate-ability-negotiate-use-tls). California also follows this, making DMARC mandatory for its state departments.
But in most other states, it’s not enforced; it’s just recommended. The same goes for industries like healthcare and finance
_But for many other states, DMARC is only recommended; it’s a good-to-follow practice, but not really mandatory. In sectors like healthcare and finance, DMARC is encouraged too_. It shows up in laws like \*\*HIPAA and [GLBA](https://www.techtarget.com/searchcio/definition/Gramm-Leach-Bliley-Act), but again, it’s not required. So, unless you’re working directly with the federal government or in a state like California, DMARC is more of a strong suggestion than a rule.
### \*\*United Kingdom In the UK, DMARC isn’t optional for government departments. If your agency sends out bulk emails, you’re expected to follow certain rules, like using [TLS](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) for encryption and setting up DMARC to **protect official communications**. The same goes for the healthcare industry, so if your organization is under the [NHS (National Health Service)](https://en.wikipedia.org/wiki/https://en.wikipedia.org/wiki/National%5FHealth%5FService), you must use email systems that support DMARC.
But things are fairly flexible for private companies. There’s no specific DMARC law, but since the UK follows [GDPR](https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp), protecting personal data is a legal requirement, and using DMARC helps with that. _Moreover, in the UK, ESPs like Google and Yahoo have mandated DMARC for bulk senders, so implementation is not really an option anymore_.
### \*\*France In France, the government doesn’t strictly enforce DMARC, but it does recommend it. Official guidance recommends that \*\*email administrators set up SPF, DKIM, and DMARC to enhance email security. So it’s on the “should do” list, not the “must do” list.
There aren’t any special rules for sectors like healthcare or finance when it comes to DMARC either. But like in most other places, **GDPR still applies**, so protecting [personal data](https://www.grocerydive.com/news/ahold-delhaize-usa-cyberattack-grocery-personal-data-exposed/751971/) is important, and DMARC can help with that.
### \*\*Saudi Arabia Saudi Arabia is stricter than most countries when it comes to email security. There, email authentication is not an option but a norm. Under the Essential Cybersecurity Controls (ECC) issued by the [National Cybersecurity Authority](https://www.manageengine.com/products/eventlog/compliance/nca-compliance.html), companies must establish robust
email protections , including SPF, DKIM, and DMARC. This is particularly relevant for government agencies and critical sectors, where email attacks could compromise **national security or public services**.
_Additionally, in Saudi Arabia, DMARC adoption isn’t led by the private sector, but rather by a more policy-driven and centralized system that mandates action from the top_.
### \*\*South Africa South Africa doesn’t have a law that says you must use DMARC, but it does expect companies to protect people’s personal information as a part of the [Personal Information Act (POPIA)](https://termly.io/resources/articles/south-africas-protection-of-personal-information-act/). Although the act does not specify DMARC directly, it asks organizations to take “**reasonable steps**” to stop data from being leaked or misused.
## \*\*The broader picture DMARC rules may not be the same everywhere, but one thing is certain - [cyber attackers](https://www.aljazeera.com/news/2025/4/15/china-accuses-us-of-launching-cyberattacks-during-asian-winter-games) don’t care where you are. If you use email, you’re already under their radar. _So, if you really want to protect yourself and your organization from email-based attacks like phishing, spoofing, malware, and more, you need to set up DMARC_.
But just setting it up isn’t enough. [DMARC](https://dmarcreport.com/what-is-dmarc/) also helps you keep an eye on what’s happening. It \*\*sends regular reports that show who is using your domain, if emails are passing the checks, and if anything looks suspicious. _This way, you’re not just blocking bad emails, but also staying one step ahead by learning from what’s going on_.
Want to know how you can leverage DMARC reports to protect your domain? \*\*Our team at \*\*[DMARCReport](https://dmarcreport.com/) is here to help! Get in touch with us to learn how.
## Sources
- [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)
[ Adam Lundrigan ](/authors/adam-lundrigan/)
CTO
CTO of DuoCircle. Leads engineering for DMARC Report and DuoCircle's email security product portfolio.
[LinkedIn Profile →](https://www.linkedin.com/in/adamlundrigan/)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Decoding the ubiquity of email authentication: DMARC regulations from across the world","description":"Decoding the ubiquity of email authentication: DMARC regulations from across the world from DMARC Report explains practical steps for email authentication.","url":"https://dmarcreport.com/blog/decoding-global-dmarc-regulations-email-authentication-around-the-world/","datePublished":"2025-07-01T10:23:13.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-07-01T10:23:13.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/adam-lundrigan/#person","name":"Adam Lundrigan","url":"https://dmarcreport.com/authors/adam-lundrigan/","jobTitle":"CTO","description":"Adam Lundrigan is the Chief Technology Officer of DuoCircle, where he leads engineering across DMARC Report, AutoSPF, and the company's email security portfolio. His technical focus includes DMARC report processing infrastructure, DNS monitoring systems, and the SPF evaluation logic that powers DuoCircle's authentication tools.","image":"https://media.mailhop.org/dmarcreport/images/authors/adam-lundrigan.jpg","knowsAbout":["DMARC Report Processing","DNS Architecture","Email Authentication","SaaS Engineering","DNS Monitoring","Infrastructure Automation"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/adamlundrigan/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/decoding-global-dmarc-regulations-email-authentication-around-the-world/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":1983,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Decoding the ubiquity of email authentication: DMARC regulations from across the world","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Decoding the ubiquity of email authentication: DMARC regulations from across the world","item":"https://dmarcreport.com/blog/decoding-global-dmarc-regulations-email-authentication-around-the-world/"}]}
```