---
title: "Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC | DMARC Report"
description: "DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header."
image: "https://dmarcreport.com/og/blog/why-the-payment-card-industry-encourages-spf-dkim-and-dmarc.png"
canonical: "https://dmarcreport.com/blog/why-the-payment-card-industry-encourages-spf-dkim-and-dmarc/"
---
Quick Answer
DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible \`From\` header. According to Google's February 2024 bulk sender requirements, a DMARC policy of at least \`p=none\` is now mandatory for any domain sending 5,000+ messages per day to Gmail users.
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fwhy-the-payment-card-industry-encourages-spf-dkim-and-dmarc%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Why%20the%20Payment%20Card%20Industry%20%28PCI%29%20encourages%20SPF%2C%20DKIM%2C%20and%20DMARC&url=undefined%2Fblog%2Fwhy-the-payment-card-industry-encourages-spf-dkim-and-dmarc%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fwhy-the-payment-card-industry-encourages-spf-dkim-and-dmarc%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fwhy-the-payment-card-industry-encourages-spf-dkim-and-dmarc%2F&title=Why%20the%20Payment%20Card%20Industry%20%28PCI%29%20encourages%20SPF%2C%20DKIM%2C%20and%20DMARC "Share on Reddit") [ ](mailto:?subject=Why%20the%20Payment%20Card%20Industry%20%28PCI%29%20encourages%20SPF%2C%20DKIM%2C%20and%20DMARC&body=Check out this article: undefined%2Fblog%2Fwhy-the-payment-card-industry-encourages-spf-dkim-and-dmarc%2F "Share via Email")
## Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
[ Check DMARC Record → ](/tools/dmarc-checker/)
DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users.
> DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.
```
DMARC Report
```
Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-24146” readonly/>
```
```
Most cyberattacks are aimed at financial gain. Since so many online platforms require credit and debit cards for payments, card fraud is on the rise. With more than [17.45 billion](https://merchantcostconsulting.com/lower-credit-card-processing-fees/credit-card-fraud-statistics/) credit, debit, and prepaid cards in use globally, fraudsters today have more opportunities than ever to exploit them. The situation is so bad that as many as [62 million Americans](https://www.security.org/digital-safety/credit-card-fraud-report/) experienced credit card fraud in 2024.
With such grave news and statistics emerging daily, the Payment Card Industry\*\* (PCI) has recognized the need to establish stricter security controls over the extensive and ever-expanding digital [payment ecosystem](https://stripe.com/in/resources/more/the-payment-industry-ecosystem-explained).
Therefore, in June 2024, [PCI began recommending DMARC, SPF, and DKIM](https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1) to strengthen cybersecurity, as outlined in Section 5.4.1 of its updated PCI DSS version 4.0.1.
_This blog discusses what SPF, DKIM, and DMARC are and why PCI encourages their deployment_.
## What are SPF, DKIM, and DMARC- a brief explanation
As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.
## SPF (Sender Policy Framework)
It’s an email authentication protocol that allows the \*\*domain owner to list all the mail servers and [IP addresses](https://en.wikipedia.org/wiki/IP%5Faddress) they trust and authorize to be used for sending emails on their behalf. Any email sent from an IP address or [mail server](https://www.activecampaign.com/glossary/mail-server) outside of the list is considered unauthorized and potentially fraudulent. _The domain owner directs the recipient’s server to either mark such illegitimate emails as spam or reject them altogether. This helps prevent phishing emails from reaching the victim’s inbox_.
## DKIM (DomainKeys Identified Mail)
DKIM lets the sender attach a [digital signature](https://www.digicert.com/faq/signature-trust/what-is-a-digital-signature) to each outgoing email. This signature is created using a private [cryptographic key](https://www.cloudflare.com/learning/ssl/what-is-a-cryptographic-key/) and is added to the [email’s](https://proton.me/blog/what-are-email-headers)[ ](https://proton.me/blog/what-are-email-headers)[header](https://proton.me/blog/what-are-email-headers). When the email reaches the recipient’s server, it retrieves the sender’s [public key](https://www.techtarget.com/searchsecurity/definition/public-key) from [DNS](https://www.ibm.com/think/topics/dns-records)[ ](https://www.ibm.com/think/topics/dns-records)[records](https://www.ibm.com/think/topics/dns-records) to verify that the email’s content hasn’t been tampered with during transit and that it was truly sent by the claimed domain.
## DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is built on the results of SPF and [DKIM](https://dmarcreport.com/what-is-dkim/). If an incoming email fails both checks, DMARC tells the receiving server what to do - \*\*deliver, quarantine, or reject it - based on the sender’s published [DMARC policy](https://dmarcreport.com/blog/what-is-a-dmarc-policy-and-how-does-it-affect-sending-my-emails/). It also provides reports, allowing domain owners to monitor and improve their [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/).
## What Role Does emails Play in payment fraud?
Emails are often the first point of attack for [threat actors](https://www.nbcnews.com/tech/security/us-treasury-says-computers-hacked-chinese-threat-actor-rcna185809) trying to get their hands on credit and debit card details or tricking companies into wire transferring money to their accounts. _They send impersonated phishing emails that are written so flawlessly and convincingly that recipients often don’t bat an eye before proceeding with the request made by them_. They usually send the emails in the name of reputed banks, vendors, or even internal executives to:
- Steal cardholder information by tricking employees or customers into entering details on fake websites.
- Launch [Business Email Compromise (BEC) attacks](https://www.bleepingcomputer.com/news/security/interpol-recovers-over-40-million-stolen-in-a-bec-attack/) where they convince finance teams to make unauthorized wire transfers.
- Distribute malware that captures payment information from \*\*internal systems. - Spoof legitimate domains to make the fraudulent email look credible and bypass basic
security checks .
Since the [Payment Card Industry](https://en.wikipedia.org/wiki/Payment%5Fcard%5Findustry) handles sensitive, **high-value transaction data**, even a single successful email scam can result in substantial financial losses, regulatory penalties, and reputational damage.
## Who is affected by PCI’s new requirement?
_With this new requirement, all organizations, including merchants, must implement and properly configure DMARC for their domains_. This ensures that only authorized and [legitimate emails](https://www.usatoday.com/story/tech/2021/08/23/gmail-spam-filter-email-inbox-google/8242847002/) \*\*pass security checks and land in the recipients’ inboxes, mitigating the risk of threat actors impersonating employees of credible organizations and duping them into sharing [sensitive financial details](https://www.linkedin.com/advice/0/how-can-you-safely-handle-sensitive-financial-information-v2wge).
This new rule is expected to have a significant impact on overall [cybersecurity](https://dmarcreport.com/blog/how-to-educate-or-train-employees-on-cybersecurity/), as it affects anyone involved in handling payment card data, including merchants, payment processors, banks (issuers and acquirers), and **service providers**. It primarily affects-
- Systems, people, and processes that store, process, or send cardholder data or **sensitive authentication data (SAD)**.
- _Systems, people, and processes that, even if not directly handling card data, could still affect the security of the cardholder environment_.
- Systems that don’t handle card data directly but are connected to systems that do, and could be exploited to access **sensitive information**.
Sensitive Authentication Data (SAD) includes elements like [CVV codes](https://www.emerchantpay.com/insights/what-is-a-cvv-code/), full magnetic stripe data, PINs, and PIN blocks. This information is highly sensitive, and if a malicious entity gains access to it, they can commit significant financial fraud. That’s precisely why storing SAD after payment authorization is **strictly forbidden**.
## Impact on the finance and payment companies
This significant \*\*security measure imparts the following benefits to the finance and payment companies, especially the ones storing card details-
## 1\. Stronger defense against phishing and spoofing emails
[Cybercriminals](https://www.voanews.com/a/alleged-leader-of-cybercriminals-extradited-to-us/7741605.html) often hack email accounts or create fake ones to send convincing emails - now made even easier with the use of AI tools - pretending to be trusted companies. _They trick prospects, clients, or employees into clicking fake links or sharing their credit card information_.. Since these messages appear to come from a legitimate source , recipients proceed with the request.
However, with [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), DKIM, and DMARC in place, such emails are filtered and blocked, thereby \*\*protecting victims from cyber threats.
## 2\. Enhanced regulatory compliance
When these [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) protocols are implemented, organizations demonstrate their commitment to **protecting sensitive customer data**, thereby meeting regulatory requirements and avoiding potential penalties.
## 3\. Competitive advantage
By adopting these security measures early, financial companies can show they take cybersecurity seriously. It helps them stand out from competitors and \*\*build trust with customers \*\*and partners who care about security.
## The way forward
Over the last year, many organizations and regulatory bodies have begun emphasizing the adoption of [DMARC](https://dmarcreport.com/). It has become a standard part of primary checklists or \*\*security features that prospects consider before investing in new services - and considering the current digital [threat landscape](https://www.techtarget.com/searchsecurity/news/366602593/Evolving-threat-landscape-influencing-cyber-insurance-market), it is only wise to do so.
So, if you also store cardholder data but haven’t set up DMARC for your domain, please [contact us](https://dmarcreport.com/contact/). Let us help you avoid losing business or becoming entangled in legal issues due to security concerns.
## Sources
- [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01)
- [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025)
- [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dns record ](/tags/dns-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)
[ Vasile Diaconu ](/authors/vasile-diaconu/)
Operations Lead
Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report.
[LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 11m 7 Easy Steps To Verify An Spf Record Using Nslookup Properly Nov 18, 2025 ](/blog/7-steps-to-verify-spf-record-correctly-using-nslookup-tool/)[ Foundational 8m A Records Vs. Alias Records - A Guide By DMARCReport Dec 4, 2025 ](/blog/a-records-vs-alias-records-a-guide-by-dmarcreport/)[ Foundational 14m Add TXT Record on Namecheap (SPF, DKIM & DMARC) - 2026 Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC","description":"DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header.","url":"https://dmarcreport.com/blog/why-the-payment-card-industry-encourages-spf-dkim-and-dmarc/","datePublished":"2025-04-30T10:28:03.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-04-30T10:28:03.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/why-the-payment-card-industry-encourages-spf-dkim-and-dmarc/"},"articleSection":"foundational","keywords":"dkim, DMARC, dns record, email security, SPF","wordCount":1412,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Why the Payment Card Industry (PCI) encourages SPF, DKIM, and DMARC","item":"https://dmarcreport.com/blog/why-the-payment-card-industry-encourages-spf-dkim-and-dmarc/"}]}
```