Learn what DMARC, SPF, and DKIM mean for cyber insurance. Discover enforcement policies and why p=reject is increasingly required.
Email authentication standards (DMARC, SPF, DKIM) are increasingly required by cyber insurers to prevent business email compromise attacks. Understanding the technical details helps brokers explain requirements to clients. SPF (Sender Policy Framework) publishes in DNS which IP addresses are authorized to send email for your domain—it validates the sender IP address. DKIM (DomainKeys Identified Mail) digitally signs outgoing emails, allowing receivers to verify the message wasn't altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy: 'If email fails SPF and DKIM, here's what to do.' The DMARC policy statement has three enforcement levels: p=none (monitoring only, no enforcement), p=quarantine (put suspicious emails in spam folder), and p=reject (block suspected spoofed emails). Carriers increasingly require at minimum p=quarantine, with p=reject preferred for maximum security. A common mistake is thinking p=none is sufficient—monitoring without enforcement provides no actual protection. Another mistake is implementing SPF with too many include statements; SPF has a 10-lookup limit, and organizations using multiple email services can exceed this, causing SPF to fail silently. Additional issues: organizations may implement DKIM but not DMARC, providing no overarching enforcement; DMARC policies may exclude internal subdomains, creating gaps. Brokers should request DNS records showing SPF, DKIM, and DMARC implementation, verify the DMARC policy level (p= value), check SPF for lookup count issues, and confirm DKIM selectors are properly published for all email sending services.
Cyber application asks about email authentication. IT says 'We have DMARC' but unsure of enforcement level. Broker checks yes. Underwriter asks for DNS records; IT provides DMARC record showing p=none. Underwriter flags as insufficient, contingency issued.
IT teams don't understand DMARC policy levels or SPF lookup limits. Brokers unfamiliar with email authentication requirements. No easy way to check DMARC policy enforcement level. DNS records may not show all email sending services configured with DKIM.
Email authentication documentation showing: SPF record with lookup count, DKIM configuration for all sending services, DMARC policy level (p= value), and confirmation that DMARC applies to all domains/subdomains.
BindLedger email authentication checker queries DNS records to verify SPF, DKIM, and DMARC implementation, checks DMARC enforcement level, and identifies configuration gaps.
Use readiness scan
Use readiness scan →“DMARC is an email authentication technology that provides policy and reporting mechanisms for DKIM and SPF, allowing the domain owner to specify how email messages that fail checks should be handled.”
“SPF, DKIM, and DMARC are essential email security measures; DMARC enforcement is critical for blocking spoofed emails.”
“The limit of 10 DNS lookups per SPF evaluation is specified in RFC 7208 and it is not optional.”
“Email authentication protocols help authenticate email senders by verifying that emails came from the domain they claim to be from, and are important for preventing spam, phishing attacks, and other email security risks.”
“Email authentication standards including DMARC enforcement are required by carriers as part of standard cyber insurance readiness checks.”