Email Security World Requirements

Which countries require or recommend SPF, DKIM, DMARC, DANE, MTA-STS, TLS-RPT, BIMI, STARTTLS, RPKI, and ASPA?  ·  GitHub  ·  Test with internet.nl  ·  Test with Mailcheck

Requirements Matrix

✅ Mandatory 🟡 Recommended ℹ️ Informational ➖ None confirmed ✗ No data found
Code ↕ Country ↕ Authority ↕ SPFDKIMDMARCSTARTTLSDANEDNSSECMTA-STSTLS-RPTCAAIPv6RPKIASPABIMI Applies To
AUAustraliaASD / ACSC🟡🟡🟡🟡ℹ️🟡ℹ️ℹ️🟡🟡ℹ️ℹ️Government Agencies
CACanadaCCCS / Treasury Board · CCCS🟡🟡🟡🟡ℹ️🟡ℹ️ℹ️ℹ️🟡ℹ️ℹ️Government Agencies
DEGermanyBSI🟡🟡🟡🟡ℹ️🟡ℹ️ℹ️🟡🟡ℹ️ℹ️Critical Infrastructure, Government Agencies
EUEuropean UnionENISA / NIS2ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️Critical Infrastructure
FRFranceANSSI🟡🟡🟡🟡ℹ️🟡ℹ️ℹ️ℹ️ℹ️ℹ️ℹ️Critical Infrastructure, Government Agencies
GBUnited KingdomNCSCℹ️🟡🟡🟡🟡🟡ℹ️ℹ️Government Agencies
NLNetherlandsForum Standaardisatie / NCSA · NCSC🟡🟡ℹ️ℹ️Government Agencies
NONorwayNSM · DigDir🟡🟡🟡🟡ℹ️🟡ℹ️ℹ️ℹ️ℹ️ℹ️Government Agencies, Tld Registrants
NZNew ZealandDIA / Digital.govt.nzℹ️🟡ℹ️ℹ️ℹ️ℹ️Government Agencies
USUnited StatesCISA · OMB · ONCD🟡ℹ️🟡🟡🟡🟡ℹ️ℹ️Federal Agencies, Private Sector

Policy Details — Mandatory & Recommended

Per-country, per-authority breakdown of each mandatory or recommended standard with policy document names and direct source links. Where multiple authorities cover the same standard, each entry is listed separately.

Country Authority Standard Status Policy Document Description Source
AU AustraliaASD / ACSCSPF🟡 RecommendedISMACSC - How to combat fake emails
ASD / ACSCDKIM🟡 RecommendedISMACSC - How to combat fake emails
ASD / ACSCDMARC🟡 RecommendedISMISM recommends DMARC with p=reject for all Commonwealth entities. Not a binding mandate but strongly recommended through the ISM framework.ACSC - How to combat fake emails
ASD / ACSCSTARTTLS🟡 RecommendedISMISM - Email security controls
ASD / ACSCDNSSEC🟡 RecommendedISMThe ISM recommends DNSSEC for government domains as part of DNS hardening.ISM - Australian Government Information Security Manual
ASD / ACSCCAA🟡 RecommendedISMCAA records recommended in ISM guidance to restrict certificate issuance.ISM - Australian Government Information Security Manual
ASD / ACSCIPv6🟡 RecommendedISMThe ISM and ASD guidance encourage Commonwealth entities to support IPv6 for internet-facing infrastructure including email services, as…ISM - Australian Government Information Security Manual
CA CanadaCCCS / Treasury BoardSPF🟡 RecommendedGovernment of Canada Email SecurityCCCS - Email security
CCCS / Treasury BoardDKIM🟡 RecommendedGovernment of Canada Email SecurityCCCS - Email security
CCCS / Treasury BoardDMARC🟡 RecommendedGovernment of Canada Email SecurityCCCS recommends DMARC and progression toward p=reject. Not a binding directive as of 2026, but increasingly referenced in GC security…CCCS - Email security
CCCSSTARTTLS🟡 RecommendedCCCS - Email security
CCCSDNSSEC🟡 RecommendedCCCS recommends DNSSEC for government domains as part of DNS infrastructure security.CCCS - Email security
CCCS / Treasury BoardIPv6🟡 RecommendedTreasury Board of Canada Secretariat and Shared Services Canada have published IPv6 adoption guidance for Government of Canada…Government of Canada IPv6 Adoption Strategy
DE GermanyBSISPF🟡 RecommendedBSI TR-03108BSI TR-03108 - Sicherer E-Mail-Transport
BSIDKIM🟡 RecommendedBSI TR-03108BSI TR-03108 - Sicherer E-Mail-Transport
BSIDMARC🟡 RecommendedBSI TR-03108BSI TR-03108 - Sicherer E-Mail-Transport
BSISTARTTLS🟡 RecommendedBSI TR-03108BSI TR-03108 requires TLS-encrypted transport. STARTTLS with strong cipher suites is mandated for email service providers qualifying under…BSI TR-03108 - Sicherer E-Mail-Transport
BSIDNSSEC🟡 RecommendedBSI TR-03108BSI recommends DNSSEC for government and critical infrastructure domains. Required as a prerequisite for DANE deployment.BSI TR-03108 - Sicherer E-Mail-Transport
BSICAA🟡 RecommendedBSI recommends CAA records as part of domain security hardening.BSI TR-03108 - Sicherer E-Mail-Transport
BSIIPv6🟡 RecommendedBSI recommends IPv6 support for government and critical infrastructure as part of network modernisation. BSI technical guidelines on secure…BSI - Sichere Nutzung von IPv6
FR FranceANSSISPF🟡 RecommendedRecommandations pour la sécurisation des courrielsANSSI - Recommandations pour la sécurisation des courriels
ANSSIDKIM🟡 RecommendedRecommandations pour la sécurisation des courrielsANSSI - Recommandations pour la sécurisation des courriels
ANSSIDMARC🟡 RecommendedRecommandations pour la sécurisation des courrielsANSSI - Recommandations pour la sécurisation des courriels
ANSSISTARTTLS🟡 RecommendedANSSI - Recommandations pour la sécurisation des courriels
ANSSIDNSSEC🟡 RecommendedANSSI recommends DNSSEC as part of general DNS security guidance.ANSSI - Recommandations pour la sécurisation des noms de domaine
GB United KingdomNCSCSPF✅ MandatoryEmail security and anti-spoofing guidanceNCSC - Anti-spoofing: SPF
NCSCDKIM✅ MandatoryEmail security and anti-spoofing guidanceNCSC - Anti-spoofing: DKIM
NCSCDMARC✅ Mandatory (reject)Email security and anti-spoofing guidanceNCSC requires DMARC for all .gov.uk and public sector domains. p=reject is the target; p=none is only acceptable as a monitoring phase.NCSC - Anti-spoofing: DMARC
NCSCSTARTTLS✅ MandatoryEmail security and anti-spoofing guidanceNCSC - Securing email in transit
NCSCMTA-STS🟡 RecommendedRecommended by NCSC Mail Check as a best practice for .gov.uk domains.NCSC Mail Check - MTA-STS
NCSCTLS-RPT🟡 RecommendedRecommended alongside MTA-STS in NCSC Mail Check guidance.NCSC Mail Check Service
NCSCDNSSEC🟡 RecommendedNCSC guidance recommends DNSSEC for government domains. Required for DANE deployment. Adoption across UK government domains varies; NCSC…NCSC - Protecting domains that don't send email
NCSCCAA🟡 RecommendedNCSC recommends CAA records as part of domain security guidance to restrict certificate issuance to authorized CAs.NCSC Mail Check Service
NCSCIPv6🟡 RecommendedUK government guidance (GDS technology code of practice and NCSC network security recommendations) advises IPv6 readiness for public sector…GOV.UK Technology Code of Practice — Use open standards
NL NetherlandsForum Standaardisatie / NCSASPF✅ MandatoryPas-toe-of-leg-uit lijstSPF - Forum Standaardisatie
Forum Standaardisatie / NCSADKIM✅ MandatoryPas-toe-of-leg-uit lijstDKIM - Forum Standaardisatie
Forum Standaardisatie / NCSADMARC✅ Mandatory (reject)Pas-toe-of-leg-uit lijstp=reject is the target policy. p=quarantine is accepted as a transition state but p=reject is required for full compliance.DMARC - Forum Standaardisatie
Forum Standaardisatie / NCSADANE✅ MandatoryPas-toe-of-leg-uit lijstDANE/TLSA required for both inbound (MX) and outbound SMTP. DNSSEC must be enabled on the domain for DANE to function.DANE - Forum Standaardisatie
Forum Standaardisatie / NCSASTARTTLS✅ MandatoryPas-toe-of-leg-uit lijstSTARTTLS - Forum Standaardisatie
Forum Standaardisatie / NCSATLS-RPT✅ MandatoryPas-toe-of-leg-uit lijstSMTP MTA-STS and TLS-RPT - Forum Standaardisatie
NCSCMTA-STS🟡 RecommendedRecommended as complementary to DANE for domains that cannot immediately deploy DNSSEC. Not on the mandatory list as of 2024.NCSC - Adviezen e-mailbeveiliging
Forum Standaardisatie / NCSADNSSEC✅ MandatoryPas-toe-of-leg-uit lijstDNSSEC is required for all government domains and is a prerequisite for DANE, which is also mandatory. Both inbound and outbound mail…DNSSEC - Forum Standaardisatie
Forum Standaardisatie / NCSACAA✅ MandatoryPas-toe-of-leg-uit lijstCAA records are required for all government domains to restrict certificate issuance to authorized Certificate Authorities only.CAA - Forum Standaardisatie
Forum Standaardisatie / NCSAIPv6✅ MandatoryPas-toe-of-leg-uit lijstIPv6 is on the Forum Standaardisatie mandatory "comply or explain" list for all government organisations. Both inbound and outbound mail…IPv6 - Forum Standaardisatie
NCSCRPKI🟡 RecommendedThe NCSC and Forum Standaardisatie have published guidance on routing security including RPKI ROA. Not yet on the mandatory…NCSC - Beveilig je netwerk met RPKI
NO NorwayNSMSPF🟡 RecommendedGrunnprinsipper for IKT-sikkerhetNSM recommends SPF as part of email authentication hardening under the "Grunnprinsipper for IKT-sikkerhet" framework for all Norwegian…NSM — Grunnprinsipper for IKT-sikkerhet
NSMDKIM🟡 RecommendedGrunnprinsipper for IKT-sikkerhetNSM recommends DKIM to cryptographically sign outgoing email and prevent message tampering in transit.NSM — Grunnprinsipper for IKT-sikkerhet
NSMDMARC🟡 RecommendedGrunnprinsipper for IKT-sikkerhetNSM recommends DMARC with a policy of at least p=quarantine, progressing to p=reject. Included in the ICT security basic principles…NSM — Grunnprinsipper for IKT-sikkerhet
NSMSTARTTLS🟡 RecommendedGrunnprinsipper for IKT-sikkerhetNSM recommends TLS-encrypted transport for email as part of secure communication practices in the ICT security basic principles.NSM — Grunnprinsipper for IKT-sikkerhet
DigDirDNSSEC🟡 RecommendedReferansekatalog for IT-standardarDNSSEC is listed in the DigDir Referansekatalog as a recommended standard for Norwegian public sector domains. Norid (the .no registry)…Referansekatalog for IT-standardar — DNSSEC
DigDirIPv6✅ MandatoryForskrift om IT-standarder i offentlig forvaltning — §12§12 of the Regulation on IT standards in public administration (forskrift 2013-04-05-959) requires all government organisations to make…Forskrift om IT-standarder i offentlig forvaltning — §12 (IPv6)
NZ New ZealandDIA / Digital.govt.nzSPF✅ MandatorySecure Government Email Common Implementation FrameworkSecure Government Email Common Implementation Framework
DIA / Digital.govt.nzDKIM✅ MandatorySecure Government Email Common Implementation FrameworkSecure Government Email Common Implementation Framework
DIA / Digital.govt.nzDMARC✅ MandatorySecure Government Email Common Implementation FrameworkSecure Government Email Common Implementation Framework
DIA / Digital.govt.nzSTARTTLS✅ MandatorySecure Government Email Common Implementation FrameworkSTARTTLS is required as the transport-layer TLS mechanism underpinning MTA-STS enforcement. The framework mandates TLS-encrypted mail…Secure Government Email Common Implementation Framework
DIA / Digital.govt.nzDNSSEC🟡 RecommendedThe govt.nz domain is DNSSEC-signed. DNSSEC is recommended for all government domains as it is a prerequisite for DANE and provides…Secure Government Email Common Implementation Framework
DIA / Digital.govt.nzMTA-STS✅ MandatorySecure Government Email Common Implementation FrameworkMTA-STS is required under the framework to enforce TLS for inbound mail delivery to government domains, preventing opportunistic downgrade…Secure Government Email Common Implementation Framework
DIA / Digital.govt.nzTLS-RPT✅ MandatorySecure Government Email Common Implementation FrameworkTLS-RPT is required alongside MTA-STS to provide visibility into TLS negotiation failures and ensure government agencies can detect…Secure Government Email Common Implementation Framework
US United StatesCISASPF✅ MandatoryBOD 18-01BOD 18-01 - Technical Implementation
CISADKIM🟡 RecommendedBOD 18-01DKIM is strongly recommended in BOD 18-01 guidance but SPF + DMARC is the minimum mandatory baseline. CISA guidance has increasingly…BOD 18-01 - Technical Implementation
CISADMARC✅ Mandatory (reject)BOD 18-01p=reject was required within one year of the BOD issuance (by October 2018) for all .gov sending domains. Applies to all FCEB agencies.BOD 18-01 - Enhance Email and Web Security
CISASTARTTLS✅ MandatoryBOD 18-01BOD 18-01 - Enhance Email and Web Security
CISAMTA-STS🟡 RecommendedRecommended in CISA email security best practices as a complement to STARTTLS. Not a BOD requirement.CISA Email Security Best Practices
CISATLS-RPT🟡 RecommendedRecommended alongside MTA-STS. Provides visibility into TLS failures but not a mandated requirement.CISA Email Security Best Practices
CISADNSSEC✅ MandatoryBOD 18-01BOD 18-01 requires DNSSEC for all .gov second-level domains. This predates the email-specific requirements and covers all federal civilian…BOD 18-01 - Enhance Email and Web Security
CISACAA🟡 RecommendedCISA recommends CAA records as part of general domain security best practices. Not a BOD-level mandate but referenced in CISA guidance on…CISA Email Security Best Practices
OMBIPv6✅ MandatoryOMB M-21-07OMB Memorandum M-21-07 "Completing the Transition to Internet Protocol Version 6 (IPv6)" (November 2020) requires Federal Civilian…OMB M-21-07 — Completing the Transition to IPv6
ONCDRPKI🟡 RecommendedRoadmap to Enhancing Internet Routing SecurityThe White House Office of the National Cyber Director (ONCD) published a "Roadmap to Enhancing Internet Routing Security" in March 2024. It…Roadmap to Enhancing Internet Routing Security — ONCD (March 2024)
ONCDDNSSEC🟡 RecommendedRoadmap to Enhancing Internet Routing SecurityThe ONCD roadmap calls out DNSSEC as critical infrastructure-level protection needed to secure the DNS lookups that underpin email routing,…Roadmap to Enhancing Internet Routing Security — ONCD (March 2024)

Standards Reference

Standard Full Name RFC / Spec Key Testing Tools
SPFSender Policy FrameworkRFC 7208internet.nl, MXToolbox
DKIMDomainKeys Identified MailRFC 6376internet.nl, MXToolbox
DMARCDomain-based Message Authentication, Reporting and ConformanceRFC 7489internet.nl, dmarcian
STARTTLSSMTP STARTTLS (Opportunistic TLS)RFC 3207internet.nl, Mailcheck
DANEDNS-based Authentication of Named EntitiesRFC 6698internet.nl
DNSSECDNS Security ExtensionsRFC 4033–4035internet.nl, DNSViz
MTA-STSMail Transfer Agent Strict Transport SecurityRFC 8461internet.nl, Hardenize
TLS-RPTSMTP TLS ReportingRFC 8460internet.nl, MXToolbox
CAACertification Authority AuthorizationRFC 8659internet.nl, MXToolbox
IPv6IPv6 Support for EmailRFC 8200, RFC 3596internet.nl
RPKIResource Public Key InfrastructureRFC 6480 / 9582Cloudflare RPKI, RIPE NCC
ASPAAutonomous System Provider AuthorizationIETF SIDROPS draftRIPE NCC RPKI
BIMIBrand Indicators for Message IdentificationBIMI GroupBIMI Checker