If your business handles cardholder data, you’re likely familiar with PCI DSS, the security standard that governs how payment data is processed and protected. But as of March 2025, there’s a new requirement that might catch some organisations off guard: DMARC (Domain-based Message Authentication, Reporting and Conformance) is now part of the standard.

So what does that mean, and what do you need to do about it?

First, What Is DMARC?

DMARC is an email authentication protocol that helps prevent phishing, spoofing, and other email-based attacks. It builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) by giving domain owners a way to:

  • Tell receiving email servers how to handle messages that fail authentication
  • Request reports on how their domain is being used

In short: it gives you visibility and control over your domain’s email reputation.

What’s Changed with PCI DSS v4.0?

Under Requirement 8.6.1 of PCI DSS v4.0 (as of 31st March 2025), organisations must implement controls to protect against email-based threats and that includes having a DMARC policy in place for all domains used to send emails.

This means:

  • You can no longer skip DMARC if you’re subject to PCI compliance
  • You need to align SPF, DKIM, and DMARC properly
  • The policy must be configured to enforce protection (not just monitor)

What Happens If You Don’t Implement DMARC?

Non-compliance could mean:

  • Failing a PCI audit
  • Increased risk of phishing attacks using your domain
  • Potential fines or restrictions from card processors or acquiring banks

More critically, it leaves your staff and customers vulnerable to impersonation attacks that are easily preventable.

How to Get Compliant

  1. Check if your domain has a DMARC record
    Use tools like MXToolbox or nslookup to see if a DMARC record exists.
  2. Start in ‘none’ mode
    Use p=none to begin collecting reports without impacting mail flow.
  3. Review reports and align SPF/DKIM
    Ensure all authorised senders are covered.
  4. Move to ‘quarantine’ or ‘reject’
    Once you have full visibility, update the policy to enforce protection (p=quarantine or p=reject).
  5. Document everything
    Auditors will expect clear records of implementation, monitoring, and enforcement.

Need Help?

DMARC isn’t just a checkbox, it’s a vital part of securing your business email and protecting your reputation. If you’re navigating PCI compliance or unsure where your domains stand, we can help review, configure, and monitor everything for peace of mind.

Let’s make compliance easier and your email safer.

Commercial Networks pci dss v4

You may also like

Safer Internet Day 2020Safer Internet Day communication manKimbley IT Podcast image illustatration the potential rising technological cyber threats for business in 2024Navigating 2024’s Technological Landscape: Emerging Cyber Threats and Strategies Send Encrypted Email with OutlookHow to Send Encrypted Email with Outlook