Email authentication, SPF, DKIM, and DMARC, has been discussed as a deliverability best practice for years. In 2026 that framing is outdated. For a significant portion of European businesses, a missing or unenforced DMARC policy is now a regulatory compliance failure with potential financial penalties attached.

The Regulatory Shift

Two EU frameworks place binding cybersecurity obligations on their covered entities, and both now incorporate email security controls:

NIS2 applies to medium and large organisations in critical and important sectors across the EU, including energy, transport, banking, health, digital infrastructure, public administration, and managed service providers. The directive requires entities to implement “state-of-the-art” technical measures for securing communications, with DMARC enforcement explicitly cited in guidance from several national competent authorities.

DORA (Digital Operational Resilience Act), which came into force for financial entities in January 2025, requires financial institutions, insurance firms, investment companies, and their ICT service providers to demonstrate resilience across all communication channels. Regulators have begun treating the absence of DMARC enforcement as a control gap during operational resilience assessments.

Non-compliance under NIS2 can result in fines of up to €10 million or 2% of global annual turnover for essential entities. DORA supervisory actions carry comparable exposure.

Where Adoption Actually Stands

Despite years of industry messaging, current adoption figures make for uncomfortable reading:

• Only 10.7% of domains have implemented a strict DMARC reject policy
• 70.9% of domains have no effective DMARC protection at all
• Domains with p=none (monitoring only) provide zero spoofing protection; attackers can still send mail that appears to come from your domain

For context, a domain without DMARC enforcement allows anyone on the internet to send email claiming to be from your organisation. Phishing campaigns, supplier fraud, and impersonation attacks all exploit this gap.

The Deliverability Pressure Is Also Real

Separate from the regulatory angle, the operational pressure on non-compliant domains is intensifying. Google, Microsoft, and Yahoo now reject unauthenticated bulk mail at the SMTP protocol level. The message never touches the recipient’s inbox or spam folder; it is refused at the connection stage.

What has caught many organisations off guard in 2026 is an additional finding: even domains with valid SPF, DKIM, and DMARC still see spam placement rates above 30%. Mailbox providers now weight engagement signals, opens, clicks, replies, and complaint rates, far more heavily than a passing authentication check. Authentication is the floor, not the ceiling.

What a Compliant Implementation Requires

A minimal compliant email authentication posture for an EU-regulated entity consists of:

1. SPF record listing all authorised sending sources, kept current as infrastructure changes
2. DKIM signing on all outbound mail, with key rotation at least annually
3. DMARC policy at p=reject (not p=none or p=quarantine) with reporting (rua and rfs tags) enabled
4. Monitoring and alerting on DMARC aggregate reports to detect unauthorised sending sources
5. Coverage across all sending domains and subdomains, including domains used exclusively for internal mail or that appear unused but can be spoofed

The monitoring requirement is frequently overlooked. Publishing a p=reject policy without reviewing DMARC reports means that when a new sending service (a CRM, a billing platform, a third-party support tool) starts sending mail on your behalf without being listed in SPF or signing with DKIM, you will not know until deliverability fails.

Acting Before an Assessment Forces Your Hand

For organisations under NIS2 or DORA, the question is no longer whether to implement DMARC enforcement but whether to do it proactively or under regulatory pressure. Several financial entities in the EU received supervisory letters in Q1 2026 noting the absence of DMARC enforcement as a finding requiring remediation within 90 days.

Implementing a correct DMARC policy without disrupting legitimate mail flows requires an audit of every system, service, and third-party integration that sends email on your behalf. Done carefully, the process typically takes two to six weeks; rushed deployments that skip that audit commonly result in legitimate mail being rejected along with spoofed messages.

Excello Digital helps European businesses implement and maintain correct SPF, DKIM, and DMARC configurations across all sending infrastructure, including third-party platforms. If your organisation is in scope for NIS2 or DORA and has not yet reached p=reject, talk to our team before a supervisory review does it for you.