PCI DSS Compliance Update: DMARC Requirements

PCI DSS Compliance Update

New requirements for email authentication protocols

Important Disclaimer

NHM LLC is not a Qualified Security Assessor (QSA). We do not provide official PCI DSS compliance assessments or certifications.

We can assist with technical implementation of email authentication protocols (SPF, DKIM, DMARC) and provide guidance for your self-assessment process. For official PCI DSS compliance validation, you must work with a certified QSA or complete a Self-Assessment Questionnaire (SAQ) as appropriate for your merchant level.

PCI DSS Section 5.4.1 Requirements

Factual information about the new email authentication requirements

Requirement Details

PCI DSS version 4.0, Section 5.4.1 requires organizations to implement processes and automation to protect against spoofing attacks. The standard specifically recommends the adoption of:

SPF (Sender Policy Framework) - A DNS record that specifies which mail servers are authorized to send email on behalf of a domain
DKIM (DomainKeys Identified Mail) - A method of email authentication that uses cryptographic signatures to verify email integrity
DMARC (Domain-based Message Authentication, Reporting & Conformance) - A policy framework that builds on SPF and DKIM to provide domain-level authentication and reporting

Technical Specifications

What each protocol does and how they work together

SPF

SPF records are published in DNS as TXT records. They list authorized sending IP addresses and mail servers for a domain. Receiving mail servers check SPF records to verify that incoming emails originate from authorized sources.

DKIM

DKIM uses public-key cryptography to sign emails. The sending server signs each message with a private key, and receiving servers verify the signature using the public key published in DNS. This ensures message integrity and authenticates the sender.

DMARC

DMARC policies are published in DNS as TXT records. They specify how receiving servers should handle emails that fail SPF or DKIM checks. DMARC also provides reporting mechanisms to send feedback about authentication results to domain owners.

Compliance Implications

Factual information about non-compliance consequences

PCI DSS Non-Compliance

Failure to meet PCI DSS requirements may result in non-compliance status
Non-compliance can lead to fines and penalties from payment card brands
Merchants may lose ability to process credit card payments
Organizations may face increased transaction fees
Data breach liability may increase for non-compliant organizations

Email Deliverability Impact

Major email providers (Google, Yahoo!, Microsoft) prioritize authenticated emails
Emails without proper authentication may be filtered to spam folders
Some providers may reject unauthenticated emails entirely
Bulk email senders face stricter requirements from major providers
Domain reputation can be negatively affected by spoofing incidents

Security Benefits

How email authentication protocols protect against threats

Protection Mechanisms

Prevents unauthorized use of your domain in phishing attacks
Reduces risk of email spoofing and business email compromise (BEC)
Helps identify and block fraudulent emails impersonating your domain
Provides visibility into email authentication failures through DMARC reports
Enables receiving servers to make informed decisions about email handling

Implementation Benefits

Meets PCI DSS Section 5.4.1 requirements
Improves email deliverability rates
Protects brand reputation from email-based attacks
Provides audit trail through DMARC reporting
Meets requirements for major email provider bulk sender programs

Implementation Requirements

What needs to be configured for compliance

Configuration Checklist

To meet PCI DSS Section 5.4.1 requirements, organizations must:

Publish SPF records in DNS for all domains used to send email
Configure DKIM signing for all outbound email
Publish DMARC policies in DNS with appropriate policy levels (none, quarantine, or reject)
Monitor DMARC reports to identify authentication failures
Maintain documentation of email authentication configurations
Regularly review and update authentication records as email infrastructure changes

Check Your Domain Security

Use our free tool to check if your domain has SPF, DKIM, and DMARC properly configured

Domain Name

DKIM Selector (optional) Leave empty to automatically check: selector1, selector2 (Microsoft 365), google, and default (Google Workspace)

📖 How to manually check DKIM selectors

DKIM records are stored in DNS as TXT records with the format:

                                    selector._domainkey.yourdomain.com
                                

Common selectors by provider:

Microsoft 365: selector1._domainkey.domain.com and selector2._domainkey.domain.com
Google Workspace: google._domainkey.domain.com
Other providers: May use default._domainkey.domain.com or custom selectors

How to check manually:

Using Command Line (Windows):

nslookup -type=TXT selector1._domainkey.yourdomain.com

Using Command Line (Linux/Mac):

dig TXT selector1._domainkey.yourdomain.com

Using Online Tools:

Visit MXToolbox and enter the DKIM record name
Use DNS Checker to query TXT records
Check your DNS provider's control panel for TXT records

What to look for:

The record should start with v=DKIM1
It should contain a public key (p=...)
For Microsoft 365, you may see a CNAME record instead of TXT (this is normal)

Need Help Setting Up DKIM?

Our experts can help you configure DKIM records correctly for your domain.

Contact Us Call (330) 305-2750

⚠️

Important Disclaimer

This tool only checks email authentication records (SPF, DKIM, DMARC). Passing these checks does NOT mean your organization is PCI DSS compliant.

PCI DSS compliance requires comprehensive security controls across your entire payment card data environment, including network security, access controls, encryption, monitoring, vulnerability management, and many other requirements beyond email authentication.

For official PCI DSS compliance validation, you must work with a Qualified Security Assessor (QSA) or complete a Self-Assessment Questionnaire (SAQ) as appropriate for your merchant level. This tool is for informational purposes only and does not constitute a compliance assessment.

How We Can Help

NHM LLC can assist with the technical implementation of SPF, DKIM, and DMARC protocols. We can help configure DNS records, set up email authentication, and provide guidance for your PCI DSS self-assessment process.

For questions or assistance, please contact us or call (330) 305-2750.