Configuring DMARC for Email Security
Ensure emails from your domains are legitimate by rejecting ones that fail DMARC checks.
Plain language
Configuring DMARC for your organisation's emails ensures that only legitimate emails from your domain reach other people's inboxes. This is important because if unverified or fake emails aren't stopped, they could damage your reputation, expose your customers to scams, and result in financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email gateways and serversOfficial control statement
DMARC records are configured for an organisation's domains (including subdomains) such that emails are rejected if they do not pass DMARC checks.
Why it matters
If DMARC is not enforced, spoofed emails can bypass checks, enabling phishing, reputational harm and financial loss.
Operational notes
Review DMARC aggregate reports, validate SPF/DKIM alignment, and tighten policy to quarantine/reject for all subdomains.
Implementation tips
- The IT team should start by identifying all domain names used by the organisation for sending emails. Make a list of each domain, including any subdomains like sales.yourcompany.com, used for email communications.
- Once the domains are listed, an IT team member should create a DMARC policy. Use an online generator to specify actions for emails that fail the DMARC check, such as reject. Ensure this policy is clear and suits the organisation's communication needs.
- Network managers should publish the DMARC policy to the Domain Name System (DNS). This means adding a special record to the DNS settings that corresponds with the DMARC policy created previously.
- Designate a staff member to regularly check the DMARC reports. This person should review email performance reports, which can be sent daily or weekly, to identify and rectify any issues with email delivery or potential spoofing attempts.
- The IT department should provide training to the rest of the organisation about recognising phishing attempts. While DMARC helps prevent fake emails, human awareness strengthens security by ensuring suspicious emails are flagged.
Audit / evidence tips
- AskThe DMARC policy document: Request evidence of the policy detailing actions for failing emails GoodA clear policy document specifying actions like 'reject' or 'quarantine' for non-compliant emails
- AskTo see the DNS record settings: Request a printout or screengrab showing DNS settings including the DMARC record GoodA DNS record listing with the DMARC information visible and accurate
- AskRecent DMARC reports: Request the latest DMARC aggregate reports GoodRegular reports showing a majority of compliance with clear details on any issues
- AskAbout the process for updating and reviewing DMARC records: Request details on who updates the DMARC records and how often this is done GoodA defined process indicating who checks the DMARC and how updates are applied
- AskEmployee training records: Request documentation of any training sessions conducted about email security GoodEvidence of regular training sessions that include information on recognising email scams
Cross-framework mappings
How ISM-1540 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1540 requires DMARC DNS records to be configured for organisational domains and subdomains so that non-compliant emails are rejected | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.