CIS Control 9.5: Implement DMARC to Prevent Email Spoofing
Email spoofing and domain impersonation are among the most common attack vectors targeting SMBs. CIS Control 9.5 requires implementing DMARC policies alongside SPF and DKIM standards to authenticate outbound email and protect your domain reputation. This control significantly reduces phishing risk and ensures legitimate email delivery.
What this means
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that works with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify that emails claiming to come from your domain actually originate from authorized sources. Together, these three standards create a verification chain that prevents attackers from spoofing your domain in phishing campaigns, while giving you visibility into unauthorized sending attempts through DMARC reporting.
How to comply
- 1.Implement SPF by creating DNS TXT records that authorize which mail servers can send email from your domain
- 2.Deploy DKIM by generating cryptographic key pairs and publishing the public key in DNS to digitally sign outgoing emails
- 3.Configure DMARC policy in your domain's DNS with instructions for how receivers should handle authentication failures
- 4.Start with a monitoring-only DMARC policy (p=none) to collect data on legitimate mail flows before enforcing stricter policies
- 5.Review DMARC aggregate reports to identify all services sending email on behalf of your domain
- 6.Gradually transition to quarantine (p=quarantine) then reject (p=reject) policies as you gain confidence in your email ecosystem
- 7.Monitor DMARC alignment to ensure SPF and DKIM pass for subdomain variations used in email communications
Evidence auditors look for
- DNS TXT records showing published SPF, DKIM, and DMARC policies for all company domains
- DMARC aggregate reports (.xml files) from email providers demonstrating monitoring and policy enforcement
- Configuration documentation showing policy progression from monitoring to enforcement across domains
- Email gateway or DNS provider settings showing SPF authorization lists and DKIM key management
- Audit logs confirming DMARC policy rejection or quarantine of unauthenticated messages
- DMARC reporting dashboards showing pass rates and failure analysis across mail sources
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch monitors your DMARC, SPF, and DKIM deployment status across all domains and alerts you to misconfigurations or policy gaps—eliminating manual DNS audits and keeping email authentication evidence organized for compliance reviews.
See how GRCWatch handles this control automatically
Start free trial