Whether you're protecting a single domain or managing hundreds for clients, you need reliable visibility into who is sending email on your behalf — and whether it's passing authentication.
DMARC itself is free — it's a DNS record and an open standard. The aggregate reports are free — receiving mail servers send them automatically. What costs money is making sense of those reports at scale, consistently, over time.
The question isn't whether you can afford DMARC monitoring. It's whether you can afford to enforce a policy without it.
Moving from p=none to p=reject without monitoring is how legitimate mail gets blocked. You need to understand every sending source before you tighten policy — and you need to keep watching after you do.
DMARC itself is free — it's a DNS record and an open standard. The aggregate reports are free — receiving mail servers send them automatically. What costs money is making sense of those reports at scale, consistently, over time. That's where a monitoring service earns its keep.
p=none
p=quarantine
p=reject
Each step requires monitoring to make safely. OnlyDMARC alerts you to unknown senders before they get blocked.
Across payment processing, financial services, and public sector, DMARC has moved from best-practice guidance to mandatory requirement. Here's the landscape.
This applies well beyond the financial sector — every business that accepts card payments must comply.
DMARC is increasingly viewed as a baseline indicator of cyber maturity in regulated sectors. Not optional if you operate in or serve the European financial ecosystem.
p=reject since 2016 under NCSC guidance.Public sector suppliers and contractors are increasingly expected to meet the same standard as their government clients.
If you send more than 5,000 emails per day, this applies to you. Minimum p=none required.
Without a DMARC policy at quarantine or reject, anyone can spoof your domain in the visible From address — the name your recipients actually see. This is the vector used in business email compromise (BEC) and targeted phishing attacks.
p=reject without monitoring means legitimate sources you've forgotten about will silently stop delivering. Monitoring makes the journey safe.Multiple domains, complex sending infrastructure, compliance requirements, and SOC teams that need DMARC data in their existing tooling — not another dashboard to watch.
Manage DMARC monitoring across all your clients from a single platform. Per-domain configuration, alerting, and reporting. White-label friendly API.
REST API, MCP server, webhooks, and JSON export. Pipe DMARC data directly into your infrastructure. No SaaS lock-in, no forced workflow changes.
Affordable, simple monitoring for a single domain. Get the compliance and security benefits of DMARC without needing a dedicated security team to manage it.
DORA, PCI DSS v4.0, and FCA expectations make DMARC monitoring a compliance necessity, not an optional security extra. We help you evidence it.
UK government and public sector bodies have been required to enforce DMARC since 2016. Suppliers and contractors increasingly face the same expectations.
Start monitoring your domain today. 14-day free trial, no credit card required.
The world's three largest consumer email providers now require DMARC for bulk senders. If your domain sends more than 5,000 emails in a single day to any of their users, you must have a published DMARC record, valid SPF and DKIM configuration, and DMARC alignment — or your messages will be rejected.
Google began enforcing DMARC requirements in February 2024 and has progressively tightened enforcement since. As of late 2025, non-compliant bulk email is permanently rejected at the SMTP level. The requirements apply to any domain sending approximately 5,000 or more messages per day to personal Gmail accounts. Once your domain is classified as a bulk sender, that classification is permanent.
Beyond DMARC, Google requires bulk senders to support one-click unsubscribe and maintain spam complaint rates below 0.3%. But DMARC is the foundation — without it, the other requirements are irrelevant because your email won't be delivered.
Yahoo co-announced its requirements alongside Google in October 2023, with enforcement beginning in February 2024. Yahoo did not publicly specify a volume threshold, instead referring to “bulk senders” more broadly. The practical advice: if you send any significant volume to Yahoo addresses, treat yourself as a bulk sender.
Microsoft announced its requirements in April 2025, with enforcement beginning on 5 May 2025. The rules apply to domains sending more than 5,000 emails per day to Outlook.com, Hotmail.com, and Live.com addresses. Non-compliant messages are rejected with error code 550; 5.7.515. Note that Microsoft 365 business addresses are not currently part of this requirement — it applies to consumer mailboxes only.
Apple published a best-practice guide shortly after the Google and Yahoo announcements, highlighting the same authentication requirements. Apple hasn't set a hard enforcement deadline, but the signal is clear: iCloud Mail is heading in the same direction.
Not necessarily. The 5,000-per-day threshold applies to the strictest tier of requirements, but all three providers apply some level of authentication checking to all inbound email. Even if you're not classified as a bulk sender, a published DMARC record improves your deliverability and protects your domain from spoofing.
More importantly, the threshold is per day, not per month. A product launch, a seasonal promotion, or a password-reset surge can push you over 5,000 on any given day. If that happens without DMARC in place, those messages may be rejected.
If your organisation processes, stores, or transmits credit card data in any form, DMARC became a mandatory requirement on 31 March 2025 under PCI DSS version 4.0.
Section 5.4.1 of PCI DSS v4.0 mandates anti-phishing mechanisms including DMARC, SPF, and DKIM for all entities within scope. Non-compliance can result in fines ranging from $5,000 to $100,000, and in serious cases, the loss of the ability to process card payments altogether.
This requirement extends far beyond the financial sector. Any business that accepts card payments is in scope:
If you accept credit or debit cards, PCI DSS applies to you, and DMARC is now part of that standard.
Several governments have mandated or strongly recommended DMARC for their own agencies, and in some cases for regulated industries:
p=reject within one year. This directive remains in effect and has driven near-universal DMARC adoption across the US federal government.p=reject for all services under service.gov.uk since October 2016. The National Cyber Security Centre (NCSC) strongly recommends DMARC for all UK organisations.p=reject on their domains, contributing to one of the highest adoption rates in Europe.p=reject for government agencies, making it a de facto requirement for compliant implementations.If you supply services to, contract with, or exchange email with any of these government bodies, their DMARC enforcement will affect your email whether or not you have your own policy in place.
The EU's Digital Operational Resilience Act (DORA) became fully applicable in January 2025. While DORA does not name DMARC specifically, it imposes comprehensive ICT risk management, incident reporting, and resilience testing requirements on financial entities and their technology suppliers. DMARC implementation is increasingly viewed as a baseline indicator of cyber maturity in this context, and auditors and supervisory bodies are beginning to treat its absence as a gap.
If your organisation is a financial institution operating in the EU, or a technology supplier to one, DMARC is a practical necessity under DORA even if the regulation doesn't mandate it by name.
Healthcare organisations handle sensitive patient data and are frequent targets for phishing and impersonation attacks. While no single global regulation mandates DMARC for healthcare specifically, the combination of data protection requirements (GDPR, HIPAA), growing insurer expectations, and inbox-provider mandates means that healthcare organisations without DMARC face both compliance risk and operational risk.
Universities and educational institutions send high volumes of email to students, staff, and alumni — often across multiple subdomains and with numerous third-party senders. The Google and Yahoo requirements are particularly relevant here, as many recipients use personal Gmail or Yahoo accounts.
Still not sure? Here's a quick reference:
| If you… | DMARC is… | Why |
|---|---|---|
| Send more than 5,000 emails/day to Gmail, Yahoo, or Outlook users | Required | Email will be rejected without it |
| Accept credit or debit card payments | Required | PCI DSS v4.0 mandates it as of March 2025 |
| Are a US federal agency | Required | BOD 18-01 mandates p=reject |
| Are a UK government service | Required | GDS mandates p=reject |
| Are a financial entity in the EU | Expected | DORA's resilience requirements make it a practical necessity |
| Supply services to government or regulated entities | Expected | Their enforcement policies affect your email |
| Send any volume of email from a domain you care about | Recommended | Protects against spoofing and improves deliverability |
| Have a domain but don't send email from it | Recommended | A p=reject record prevents others from spoofing it |
When we say DMARC is required, we mean one of three things depending on the context:
This is the inbox-provider requirement. Google, Yahoo, and Microsoft will bounce or spam-folder your messages if your domain doesn't meet their authentication standards. This isn't a theoretical risk — it's how their servers are now configured.
This is the PCI DSS and government mandate scenario. An auditor will check for DMARC as part of their assessment. Its absence is a finding, potentially with financial penalties.
Cyber insurers, enterprise procurement teams, and industry regulators increasingly treat DMARC as a baseline expectation. Not having it creates friction and raises questions about your security posture.
In all three cases, the remedy is the same: publish a DMARC record, monitor your reports, and work toward enforcement.
Publishing a DMARC record is one of the simplest DNS changes you'll ever make. A basic record looks like this:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.comThat single line, published as a TXT record at _dmarc.yourdomain.com, gives you monitoring-only mode with aggregate reporting. It carries zero risk to your existing email delivery, and it starts generating data about your email ecosystem immediately.
The harder part — and the valuable part — is reading and acting on the reports that follow. That's where monitoring comes in.
See your current DMARC, SPF, and DKIM status. If you don't have a record, we'll show you exactly what to publish.
Check NowPoint your DMARC reports to us and see your first dashboard within 48 hours. No software to install.
Sign UpGet in touch. We'll look at your domain and tell you what you need — no obligation, no pitch.
Contact Us