Compliance · Nov 2025

Government DMARC mandates hit suppliers in 2025

Germany’s BMI and BSI are pushing federal agencies to enforce strict DMARC policies, and private vendors that supply or connect to those agencies are the next wave. This guide explains the timeline, what auditors want to see, and how to get your organisation ready before procurement starts rejecting bids.

Why governments are mandating DMARC now

Email spoofing targeting government domains has escalated sharply. In 2024, the German Federal Office for Information Security (BSI) recorded a 34 % year-on-year rise in phishing campaigns impersonating public authorities. Fraudsters clone ministry addresses to redirect tax refunds, intercept citizen data, or trick contractors into paying false invoices. DMARC at p=reject is the only technical control that categorically blocks these forged-sender attacks at the receiving mail server.

The EU NIS2 Directive, effective October 2024, reinforces this by requiring "appropriate technical measures" for email security across essential and important entities. DMARC, together with SPF and DKIM, is the baseline measure that auditors check first. Organisations that cannot demonstrate p=reject or at minimum p=quarantine face compliance gaps that can trigger supervisory action or contract exclusions.

Key deadlines and scope

The German federal mandate follows a phased schedule:

  • June 2025: All *.bund.de and primary federal ministry domains must publish DMARC p=reject. Aggregate reporting (rua) to the BSI relay is mandatory.
  • September 2025: Federal IT service providers (ITZBund clients) must demonstrate DMARC coverage for domains used in official correspondence.
  • December 2025: Municipalities and Länder administrations must have an approved DMARC project plan on file; p=quarantine minimum by this date.
  • Q1 2026: Private suppliers bidding on public contracts above €25k must submit a completed DMARC compliance checklist with their tender.

Similar schedules are running in parallel across the EU: France’s ANSSI mandated DMARC for central government in Q4 2024, the Netherlands’ NCSC requires p=reject for all rijksoverheid.nl domains, and the UK’s NCSC published updated guidance making p=reject the default recommendation for all public sector bodies.

What changes for private-sector suppliers

Even companies with no direct obligation under NIS2 are affected when they supply products or services to in-scope entities. Procurement officers increasingly add DMARC compliance to the technical requirements section of tenders. A missing or p=none policy is now treated the same as an expired SSL certificate - a red flag that can lead to bid rejection without review on merit.

Beyond procurement, cyber-insurance underwriters have begun linking premium rates to DMARC enforcement posture. An organisation running p=none receives a higher risk score, regardless of whether it has ever experienced an incident. The reasoning is straightforward: p=none means the domain owner has visibility but has chosen not to act - and that conscious inaction is viewed as a governance failure rather than a knowledge gap.

Audit artifacts you will need

Auditors and procurement teams request four categories of evidence. Preparing these before the tender or audit date saves weeks of scrambling:

  • Domain inventory with policy status: A spreadsheet or tool export listing every domain and subdomain, the current DMARC policy (none / quarantine / reject), and the responsible owner within the organisation. DMARCFlow generates this automatically from your monitoring data.
  • Alignment metrics by sending platform: Aggregated data showing what percentage of mail from each source (CRM, ERP, transactional systems, marketing platforms) passes SPF and DKIM alignment. Anything below 95 % warrants investigation before you advance to p=reject.
  • Incident runbooks: A documented procedure for what happens when a spoofing attempt is detected in DMARC reports - who is notified, within what timeframe, and what remediation steps are taken. This demonstrates that reporting is not just collected but acted on.
  • Change-log for DNS records: An audit trail showing DMARC, SPF, and DKIM record changes with timestamps and approver names. Git-based DNS management or a ticketing system export are both acceptable.

Suggested rollout for organisations starting today

If your organisation is currently at p=none or has no DMARC record, here is a realistic six-week path to p=quarantine - achievable before most 2025 deadlines:

  1. Week 1 - Inventory: List all domains. Check each for existing DMARC, SPF, and DKIM records using a tool like the DMARCFlow DMARC Checker. Identify sending platforms by reading rua aggregate reports if DMARC already exists, or by surveying IT and marketing teams.
  2. Week 2–3 - Fix SPF and DKIM: Resolve SPF lookup-count violations (max 10 DNS lookups), add DKIM signing to any platform missing it, and confirm that the signing domain aligns with the header-from domain. Misalignment is the single most common cause of authentication failures.
  3. Week 4 - Deploy p=none with rua reporting: If not already in place, publish v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1. Let reports accumulate for at least 7–10 days before drawing conclusions.
  4. Week 5 - Analyse and remediate: Review aggregate reports. Any legitimate source failing authentication must be fixed before advancing policy. Common issues: ESP not yet configured for DKIM, a secondary mail relay using an old SPF include, or forwarding setups breaking SPF alignment.
  5. Week 6 - Advance to p=quarantine: Once 97 %+ of legitimate mail passes, set p=quarantine with pct=10 initially, then escalate to pct=100 over two weeks. Document each step with screenshots and timestamps for your audit file.

How DMARCFlow supports compliance projects

DMARCFlow aggregates reports from all major mailbox providers, parses them into per-source alignment dashboards, and generates compliance-ready PDF exports. The platform also monitors for new sending sources that appear without authorisation - critical in environments where marketing and development teams regularly spin up new mail-sending tools without informing IT security. Alerts can be routed to Slack, Teams, or your SIEM via webhook.

For organisations facing an imminent tender deadline, DMARCFlow’s onboarding team can walk through an expedited assessment, identify the highest-risk gaps, and produce a compliance memo within five business days. This memo is accepted by several German federal procurement offices as interim evidence while the full p=reject rollout completes.

Ready to start? Use the DMARCFlow DMARC Checker to see your current policy status in under 30 seconds, or book a compliance review with our team to map your organisation against the current mandate timeline.