TL;DR: No single law says "you must have DMARC", but several rules and standards effectively require strong email security — Google and Yahoo's sender rules, PCI DSS for card data, and the "appropriate measures" expected by GDPR and similar privacy laws. In practice that means SPF, DKIM, DMARC at enforcement, and encrypted transport. A free scan gives you a dated record of where you stand. Scan your domain to see your grade.
Who actually requires what
| Source | What it expects for email |
|---|---|
| Google & Yahoo | SPF + DKIM for all senders, DMARC + one-click unsubscribe for bulk |
| PCI DSS | Anti-spoofing controls (SPF/DKIM/DMARC) to protect against phishing |
| GDPR / privacy laws | "Appropriate technical measures" to protect personal data — spoofable email is a recognised risk |
| Cyber-insurance | Increasingly asks whether you have DMARC and MFA before issuing a policy |
| Sector frameworks | Many (finance, health, gov suppliers) mandate email authentication explicitly |
So is DMARC "required"?
Not by a single named law — but the combined pressure of deliverability rules, payment standards, privacy obligations and insurer questionnaires makes it effectively mandatory for any business that emails customers. The honest answer most auditors and insurers expect today is: yes, you should have DMARC at enforcement.
The compliance baseline for email
- SPF — valid, single record, ending in
-allor~all. - DKIM — signing enabled and passing.
- DMARC — at
quarantineorreject, not justp=none. - Transport encryption — TLS, ideally enforced with MTA-STS.
- Domain integrity — DNSSEC and a CAA record where practical.
How to prove you meet it
Auditors, insurers and clients increasingly ask for evidence. A scan gives you a dated, plain-English report of your domain's posture you can attach to a questionnaire or compliance file. Run a free scan and download the PDF — it lists each control and whether you pass.
FAQ
Is DMARC legally required under GDPR?
GDPR doesn't name DMARC, but it requires appropriate measures to protect personal data, and an unauthenticated, spoofable domain is a clear weakness. Regulators and insurers treat email authentication as expected practice.
Does a free scan count as a compliance audit?
It's not a formal certification, but it's solid evidence of your current technical posture and a great first step — many questionnaires only ask whether these controls exist.
What if I fail several checks?
Fix the records (or have them fixed). The point of the scan is to find the gaps before an auditor — or an attacker — does.
Need to show you meet email-security requirements? Scan your domain for a dated report, then reply and we'll bring you up to the baseline — we're developers and we'll configure SPF, DKIM, DMARC and the rest for you.