Where is DMARC, SPF, DKIM mandated?

EU, US, UK, AUS, NZ, India, Japan Rules

Mandatory SPF + DKIM + DMARC for Public Sector

January 2026 – Here is how countries handle SPF, DKIM, and DMARC as mandatory (especially for government domains, often including health services and other critical sectors where relevant). This also relates to the EU’s NIS2 Directive, which can influence national requirements but does not explicitly list SPF/DKIM/DMARC by name — instead, it mandates appropriate technical & organisational measures for cybersecurity (so email authentication might be required as part of national implementation).

United States

Federal government: Binding Operational Directive 18-01 mandates DMARC with a p=reject policy, plus SPF, DKIM, and TLS for all federal agencies.

Canada

Government email systems must implement SPF, DKIM, and a DMARC policy (minimum p=quarantine or higher).

United Kingdom

Government departments must have SPF, DKIM & DMARC (with a strong policy), and TLS encryption for email. Public sector rules also cover the NHS and other critical public bodies.

Denmark

All government agencies are required to enforce DMARC with p=reject, and SPF/DKIM are de facto part of that for email authentication.

Netherlands

Government organisations must implement SPF, DKIM & DMARC in accordance with “comply or explain” standards.

New Zealand

Under the Secure Government Email (SGE) Framework, all government domains must implement SPF (hard-fail), DKIM, and DMARC (p=reject) alongside other email controls by the deadline (Oct/2025).

Saudi Arabia

National Essential Cybersecurity Controls require organisations — including government and national bodies — to implement SPF, DKIM & DMARC as part of email threat mitigation.

Mandatory or Strongly Recommended but Not Strict Laws

Ireland

The Public Sector Cyber Security Baseline Standard requires enforcement of SPF, DKIM & inbound DMARC, but it is currently a standard rather than a strict legal mandate.

Other EU Member States

Several (e.g., Czechia, Estonia) have national policies pushing public bodies toward DMARC & DKIM, but not all have hard mandates yet. Some EU countries have guidance that encourages SPF/DKIM/DMARC for public entities.

Australia

Australian Cyber Security Centre strongly recommends SPF, DKIM & DMARC, including in the public sector, but it isn’t enforced as a strict legal mandate.

India

CERT-IN guidelines encourage email authentication for improved cybersecurity, but it’s not mandated by law for all government/federal domains
Provider Enforcement Date Who Is Affected Requirements
Gmail Feb 2024 (gradual), full by Apr–Jun 2024 >5,000 emails/day SPF, DKIM, DMARC (p=none or stronger), one-click unsubscribe, low spam rate
Yahoo Feb 2024 (gradual) >5,000 emails/day SPF, DKIM, DMARC, one-click unsubscribe, low spam rate
Microsoft May 5, 2025 >5,000 emails/day SPF, DKIM, DMARC (p=none or stronger), DMARC alignment, valid reply addresses, unsubscribe

No more spoofing, Check before sending, Don't be impersonated!

The #1 Best Rated anti domain hacking there is
Check Your Domain Safety!