Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users.

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, CEO of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

					DMARC Report					

				

Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-24146">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/04/Why-the-Payment-Card-Industry-PCI-encourages-SPF-DKIM-and-DMARC-1.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M16S">2:16</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-24146" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-24146" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-24146" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-24146" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/why-the-payment-card-industry-pci-encourages-spf-dkim-and-dmarc/&t=Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/why-the-payment-card-industry-pci-encourages-spf-dkim-and-dmarc/&url=Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/04/Why-the-Payment-Card-Industry-PCI-encourages-SPF-DKIM-and-DMARC-1.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/why-the-payment-card-industry-pci-encourages-spf-dkim-and-dmarc/" class="input-link input-link-24146" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-24146" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="4ngMt1NJrp"><a href="https://dmarcreport.com/blog/podcast/why-the-payment-card-industry-pci-encourages-spf-dkim-and-dmarc/">Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/why-the-payment-card-industry-pci-encourages-spf-dkim-and-dmarc/embed/#?secret=4ngMt1NJrp" width="500" height="350" title=""Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC" — DMARC Report" data-secret="4ngMt1NJrp" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-24146” readonly/>

					<button class="copy-embed copy-embed-24146" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Most cyberattacks are aimed at financial gain. Since so many online platforms require credit and debit cards for payments, card fraud is on the rise. With more than 17.45 billion credit, debit, and prepaid cards in use globally, fraudsters today have more opportunities than ever to exploit them. The situation is so bad that as many as 62 million Americans experienced credit card fraud in 2024.

With such grave news and statistics emerging daily, the Payment Card Industry** (PCI) has recognized the need to establish stricter security controls over the extensive and ever-expanding digital payment ecosystem.

Therefore, in June 2024, PCI began recommending DMARC, SPF, and DKIM to strengthen cybersecurity, as outlined in Section 5.4.1 of its updated PCI DSS version 4.0.1.

This blog discusses what SPF, DKIM, and DMARC are and why PCI encourages their deployment.

What are SPF, DKIM, and DMARC- a brief explanation

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

SPF (Sender Policy Framework)

It’s an email authentication protocol that allows the **domain owner to list all the mail servers and IP addresses they trust and authorize to be used for sending emails on their behalf. Any email sent from an IP address or mail server outside of the list is considered unauthorized and potentially fraudulent. The domain owner directs the recipient’s server to either mark such illegitimate emails as spam or reject them altogether. This helps prevent phishing emails from reaching the victim’s inbox.

DKIM (DomainKeys Identified Mail)

DKIM lets the sender attach a digital signature to each outgoing email. This signature is created using a private cryptographic key and is added to the email’s header. When the email reaches the recipient’s server, it retrieves the sender’s public key from DNS records to verify that the email’s content hasn’t been tampered with during transit and that it was truly sent by the claimed domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is built on the results of SPF and DKIM. If an incoming email fails both checks, DMARC tells the receiving server what to do — **deliver, quarantine, or reject it — based on the sender’s published DMARC policy. It also provides reports, allowing domain owners to monitor and improve their email security.

What Role Does emails Play in payment fraud?

Emails are often the first point of attack for threat actors trying to get their hands on credit and debit card details or tricking companies into wire transferring money to their accounts. They send impersonated phishing emails that are written so flawlessly and convincingly that recipients often don’t bat an eye before proceeding with the request made by them. They usually send the emails in the name of reputed banks, vendors, or even internal executives to:

• Steal cardholder information by tricking employees or customers into entering details on fake websites.

• Launch Business Email Compromise (BEC) attacks where they convince finance teams to make unauthorized wire transfers.

• Distribute malware that captures payment information from **internal systems. - Spoof legitimate domains to make the fraudulent email look credible and bypass basic

security checks .

Since the Payment Card Industry handles sensitive, high-value transaction data, even a single successful email scam can result in substantial financial losses, regulatory penalties, and reputational damage.

Who is affected by PCI’s new requirement?

With this new requirement, all organizations, including merchants, must implement and properly configure DMARC for their domains. This ensures that only authorized and legitimate emails **pass security checks and land in the recipients’ inboxes, mitigating the risk of threat actors impersonating employees of credible organizations and duping them into sharing sensitive financial details.

This new rule is expected to have a significant impact on overall cybersecurity, as it affects anyone involved in handling payment card data, including merchants, payment processors, banks (issuers and acquirers), and service providers. It primarily affects-

• Systems, people, and processes that store, process, or send cardholder data or sensitive authentication data (SAD).

• Systems, people, and processes that, even if not directly handling card data, could still affect the security of the cardholder environment.

• Systems that don’t handle card data directly but are connected to systems that do, and could be exploited to access sensitive information.

Sensitive Authentication Data (SAD) includes elements like CVV codes, full magnetic stripe data, PINs, and PIN blocks. This information is highly sensitive, and if a malicious entity gains access to it, they can commit significant financial fraud. That’s precisely why storing SAD after payment authorization is strictly forbidden.

Impact on the finance and payment companies

This significant **security measure imparts the following benefits to the finance and payment companies, especially the ones storing card details-

1. Stronger defense against phishing and spoofing emails

Cybercriminals often hack email accounts or create fake ones to send convincing emails — now made even easier with the use of AI tools — pretending to be trusted companies. They trick prospects, clients, or employees into clicking fake links or sharing their credit card information.. Since these messages appear to come from a legitimate source , recipients proceed with the request.

However, with SPF, DKIM, and DMARC in place, such emails are filtered and blocked, thereby **protecting victims from cyber threats.

2. Enhanced regulatory compliance

When these email authentication protocols are implemented, organizations demonstrate their commitment to protecting sensitive customer data, thereby meeting regulatory requirements and avoiding potential penalties.

3. Competitive advantage

By adopting these security measures early, financial companies can show they take cybersecurity seriously. It helps them stand out from competitors and **build trust with customers **and partners who care about security.

The way forward

Over the last year, many organizations and regulatory bodies have begun emphasizing the adoption of DMARC. It has become a standard part of primary checklists or **security features that prospects consider before investing in new services—and considering the current digital threat landscape, it is only wise to do so.

So, if you also store cardholder data but haven’t set up DMARC for your domain, please contact us. Let us help you avoid losing business or becoming entangled in legal issues due to security concerns.

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 — DMARC Requirement (2025)
• RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)