Decoding the ubiquity of email authentication: DMARC regulations from across the world

Compliance is driving a lot of the DMARC adoption we see, says Vasile Diaconu, Operations Lead at DuoCircle. PCI DSS v4.0, Google’s sender requirements, Microsoft’s May 2025 enforcement - our support team fields questions about these mandates daily. The organizations that moved early are already at p=reject. The rest are scrambling.

The three core email authentication standards - SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report

Decoding the ubiquity of email authentication: DMARC regulations from across the world

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-29145">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/07/Decoding-the-ubiquity-of-email-authentication-DMARC-regulations-from-across-the-world.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M15S">2:15</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-29145" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-29145" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-29145" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-29145" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/decoding-the-ubiquity-of-email-authentication-dmarc-regulations-from-across-the-world/&t=Decoding the ubiquity of email authentication: DMARC regulations from across the world" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/decoding-the-ubiquity-of-email-authentication-dmarc-regulations-from-across-the-world/&url=Decoding the ubiquity of email authentication: DMARC regulations from across the world" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/07/Decoding-the-ubiquity-of-email-authentication-DMARC-regulations-from-across-the-world.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/decoding-the-ubiquity-of-email-authentication-dmarc-regulations-from-across-the-world/" class="input-link input-link-29145" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-29145" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="It20tT6GuQ"><a href="https://dmarcreport.com/blog/podcast/decoding-the-ubiquity-of-email-authentication-dmarc-regulations-from-across-the-world/">Decoding the ubiquity of email authentication: DMARC regulations from across the world</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/decoding-the-ubiquity-of-email-authentication-dmarc-regulations-from-across-the-world/embed/#?secret=It20tT6GuQ" width="500" height="350" title=""Decoding the ubiquity of email authentication: DMARC regulations from across the world" - DMARC Report" data-secret="It20tT6GuQ" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-29145” readonly/>

					<button class="copy-embed copy-embed-29145" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Email-based attacks are prevalent, which means that tools and strategies to **protect email ecosystems are also widely available.

Despite being one of the most preferred and reliable channels of communication, email lacks one important thing: a native security feature that goes beyond cursory checks. We don’t mean spam filters or inbox firewalls. We mean more reliable tools to verify the legitimacy and authenticity of the sender and the email. That’s where email authentication protocols come in.

Protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) patch the gaps left by how email was originally designed** - open, flexible, but without built-in mechanisms to confirm who is really sending a message.

It works by verifying if an email sent from your domain is legitimate and allows you to instruct email providers on how to handle suspicious emails: either allow them, send them to spam, or block them completely.

DMARC is used all over the world, but how it’s used depends on where you are. Some countries make it mandatory for government departments, while others just recommend it. In many cases, it’s big **email platforms like Google and Yahoo, not governments, that are pushing organizations to follow DMARC rules.

Let’s see what **DMARC regulations from across the world look like:

What is DMARC? DMARC is a **security protocol **that helps

protect your email domain from being misused, basically by stopping others from sending fake emails that look like they’re from you. It works by checking whether an incoming email is actually allowed to use your domain name. To do this, it builds on two other tools, SPF and DKIM, which help verify if a message is coming from a trusted source and hasn’t been altered along the way.

If something doesn’t look right, DMARC lets you decide what should happen next: you can allow the message, send it to spam, or block it completely. It also provides you with regular reports, allowing you to see who is sending emails using your domain and whether those messages are passing or failing the checks. In short, DMARC helps protect your name, brand, and users from email-based fraud.

Why aren’t the rules the same everywhere? Yes, DMARC is a global standard, recommended by key email service providers and adopted by all major companies, but the way it is adopted varies across the world. Particularly, on the policy level.

Each country has its own norms regarding digital governance and cybersecurity priorities, which means the way these protocols are perceived and implemented also varies. Some have strict rules that make **DMARC mandatory for all government departments. Others just suggest it as a good practice and leave the decision to individual agencies.

Let’s take a deeper look at the factors that impact DMARC rules across the world:

**Each country has a different threat perception Yes, we said earlier that email-based attacks are everywhere, but that doesn’t mean the threat landscape is homogeneous. For some countries, phishing emails sent to government bodies or **public services are a thing of concern. These attacks have caused enough trouble to make email security a high priority. But for others, the risk might be on their radar, just not at the top of the list.

This could be because they haven’t faced a serious incident yet, or the attacks haven’t come to the surface. In such cases, email authentication and DMARC adoption are seen as an option, rather than a mandatory practice.

**Not all governments monitor emails in the same way The way the government handles emails also changes the way DMARC is rolled out in each country.

In some places, things are more organized with a **centralized setup or a particular department that oversees all the official email activity . But in others, each department or agency handles its own email setup. They might use different systems, providers, or rules. No one is really keeping track of who is using what. This shows that we’re not on the same page as everyone else, not even within the same country sometimes. So you really can’t compare DMARC adoption in different countries.

**The technical capabilities are different DMARC implementation is already tricky; what’s trickier is getting it done across the board.

For some countries, **technical challenges are the real barrier. Since for them, cybersecurity isn’t a priority, they don’t have the same tools, capabilities, and resources as some of the more proactive countries.

The latter ones: countries that do take cybersecurity seriously usually have stronger infrastructure, better-trained teams, and dedicated systems in place to manage things like DMARC. They’re able to roll it out more quickly and monitor it properly.

**Sometimes, platforms have more authority than the governments In a lot of cases, it’s not the government telling people to use DMARC, it’s the big email providers like Google and Yahoo.

Let’s say you’re a company that sends a lot of emails. If you don’t have DMARC set up, Google might start sending your emails to spam or block them completely. Even if there’s no law in your country requiring you to use DMARC, you’ll still need to do so, just to **ensure your emails reach the intended recipients.

What does DMARC adoption look like for different countries? Now that we know DMARC adoption is not the same for every nation, let’s see how different countries and sectors perceive DMARC:

**The United States In the U.S., DMARC rules depend on where you are and who you’re working with. At the federal level, all government agencies must use DMARC with a strict policy, along with SPF, DKIM, and STARTTLS. California also follows this, making DMARC mandatory for its state departments.

But in most other states, it’s not enforced; it’s just recommended. The same goes for industries like healthcare and finance

But for many other states, DMARC is only recommended; it’s a good-to-follow practice, but not really mandatory. In sectors like healthcare and finance, DMARC is encouraged too. It shows up in laws like **HIPAA and GLBA, but again, it’s not required. So, unless you’re working directly with the federal government or in a state like California, DMARC is more of a strong suggestion than a rule.

**United Kingdom In the UK, DMARC isn’t optional for government departments. If your agency sends out bulk emails, you’re expected to follow certain rules, like using TLS for encryption and setting up DMARC to protect official communications. The same goes for the healthcare industry, so if your organization is under the NHS (National Health Service), you must use email systems that support DMARC.

But things are fairly flexible for private companies. There’s no specific DMARC law, but since the UK follows GDPR, protecting personal data is a legal requirement, and using DMARC helps with that. Moreover, in the UK, ESPs like Google and Yahoo have mandated DMARC for bulk senders, so implementation is not really an option anymore.

**France In France, the government doesn’t strictly enforce DMARC, but it does recommend it. Official guidance recommends that **email administrators set up SPF, DKIM, and DMARC to enhance email security. So it’s on the “should do” list, not the “must do” list.

There aren’t any special rules for sectors like healthcare or finance when it comes to DMARC either. But like in most other places, GDPR still applies, so protecting personal data is important, and DMARC can help with that.

**Saudi Arabia Saudi Arabia is stricter than most countries when it comes to email security. There, email authentication is not an option but a norm. Under the Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority, companies must establish robust

email protections , including SPF, DKIM, and DMARC. This is particularly relevant for government agencies and critical sectors, where email attacks could compromise national security or public services.

Additionally, in Saudi Arabia, DMARC adoption isn’t led by the private sector, but rather by a more policy-driven and centralized system that mandates action from the top.

**South Africa South Africa doesn’t have a law that says you must use DMARC, but it does expect companies to protect people’s personal information as a part of the Personal Information Act (POPIA). Although the act does not specify DMARC directly, it asks organizations to take “reasonable steps” to stop data from being leaked or misused.

**The broader picture DMARC rules may not be the same everywhere, but one thing is certain - cyber attackers don’t care where you are. If you use email, you’re already under their radar. So, if you really want to protect yourself and your organization from email-based attacks like phishing, spoofing, malware, and more, you need to set up DMARC.

But just setting it up isn’t enough. DMARC also helps you keep an eye on what’s happening. It **sends regular reports that show who is using your domain, if emails are passing the checks, and if anything looks suspicious. This way, you’re not just blocking bad emails, but also staying one step ahead by learning from what’s going on.

Want to know how you can leverage DMARC reports to protect your domain? **Our team at **DMARCReport is here to help! Get in touch with us to learn how.

Sources

• RFC 7208 - Sender Policy Framework (SPF)
• RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)