Enforce Email Rejection for Failed DMARC Checks
Emails not verified by DMARC are blocked to enhance email security.
Plain language
This control makes sure that emails failing to verify through DMARC checks are blocked. It's important because it keeps potentially dangerous or fraudulent emails out of your inbox, protecting your business from phishing attacks or scams that could lead to data loss or financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email gateways and serversOfficial control statement
Incoming emails are rejected if they do not pass DMARC checks.
Why it matters
If emails that fail DMARC are not rejected, spoofed messages can reach users, increasing phishing and the likelihood of credential theft or fraud.
Operational notes
Review DMARC aggregate reports and adjust SPF/DKIM alignment so valid senders pass; keep the DMARC policy at reject to block spoofed mail.
Implementation tips
- The IT team should configure the email server to enforce DMARC checks. This means setting up the server so that it automatically checks incoming emails against DMARC standards before allowing them through to the recipient.
- Managers in charge of communications should train staff on recognising legitimate email failures. Once DMARC is set up, if someone expects an email and it hasn’t arrived, they should verify it was sent from a legitimate address and wasn't blocked by the filter unnecessarily.
- System administrators should regularly update DMARC policies. They need to stay informed about the latest DMARC standards and ensure their email server settings reflect any changes to keep security measures current.
- The IT team should monitor and review email logs periodically. Check the logs to identify any patterns or regular incidents of email rejection, ensuring legitimate emails aren't being blocked.
- Business owners should coordinate with their email service provider to ensure DMARC settings are enabled and robust. They should confirm that the service provider supports DMARC and that the required configurations are in place.
Audit / evidence tips
-
Askthe email server configuration document: Request to see documentation that details how DMARC checks are set up
Goodincludes evidence that settings align with security policies and reject emails which fail checks
-
Askthe latest email system training logs: Verify if staff have undergone training related to DMARC and email safety
Goodincludes recent, comprehensive training that focuses on recognising issues stemming from DMARC rejections
-
Askto see the DMARC policy records: Request the policy documentation stating how emails are handled when they fail DMARC checks
Goodshows a current, enforced policy designed to reject failing emails for security
-
Askaccess to recent email log reports: View a sample of logs detailing rejected emails due to DMARC failures
Goodis logs displaying legitimate and expected rejections with minimal false positives
-
Askevidence of coordination with email service providers: Request any email communication or agreements regarding DMARC implementation
Goodincludes correspondence affirming DMARC compliance support
Cross-framework mappings
How ISM-1799 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.