---
title: "DMARC is now mandatory for Cyber Essentials Mark Certification from CSA | DuoCircle"
description: "DMARC is now mandatory for Cyber Essentials Mark Certification from CSA."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/"
---

Quick Answer

Singapore's Cyber Security Agency now requires DMARC for the Cyber Essentials Mark Certification, the entry-level cybersecurity certification aimed at small and medium organisations. The certification covers basic cyber hygiene (malware protection, secure configurations, access controls, incident response, data protection) and is valid for two years. To meet the DMARC requirement: publish a DMARC TXT record starting at p=none with a reporting address, configure SPF to cover all approved senders, enable DKIM signing on outbound mail, then move toward p=quarantine and p=reject as report data confirms legitimate sources are passing. The certification process is a self-assessment followed by independent verification.

DMARC is now mandatory for Cyber Essentials Mark Certification from CSA

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2026/02/DMARC-is-now-mandatory-for-Cyber-Essentials-Mark-Certification-from-CSA.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fdmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DMARC%20is%20now%20mandatory%20for%20Cyber%20Essentials%20Mark%20Certification%20from%20CSA&url=undefined%2Fblog%2Fdmarc%2Fdmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fdmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fdmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update%2F&title=DMARC%20is%20now%20mandatory%20for%20Cyber%20Essentials%20Mark%20Certification%20from%20CSA "Share on Reddit") [ ](mailto:?subject=DMARC%20is%20now%20mandatory%20for%20Cyber%20Essentials%20Mark%20Certification%20from%20CSA&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fdmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update%2F "Share via Email") 

![DMARC is now mandatory](https://media.mailhop.org/duocircle/images/2026/02/email-smtp-service-5327.jpg) 

Cybersecurity certifications are no longer just a checklist item. They are becoming a clear signal that an organisation takes digital risk seriously. As cyber threats continue to target email as an entry point, the [Cyber Security Agency](https://en.wikipedia.org/wiki/Cyber%5FSecurity%5FAgency) of Singapore has strengthened its expectations by making DMARC a mandatory requirement for **Cyber Essentials Mark Certification**.

_This change highlights a major shift in how organisations are expected to approach basic cyber hygiene_. Email authentication is now seen as a core security control rather than an optional technical upgrade. For many businesses, especially **small and medium-sized organisations**, this update may feel like a technical hurdle. In reality, it is a practical step toward preventing spoofing, phishing, and [brand impersonation attacks](https://www.darkreading.com/cyberattacks-data-breaches/operation-doppelbrand-weaponizing-fortune-500-brands) that can lead to data loss and reputational damage.

In this blog, we will break down what the Cyber Essentials Mark Certification is, how [DMARC](/resources/what-is-dmarc) works, why it plays a key role in [email security](/), and the practical steps organisations can take to meet this new requirement with confidence.

[![Mandatory Requirement](https://media.mailhop.org/duocircle/images/2026/02/dmarc-report-7001.jpg)](https://media.mailhop.org/duocircle/images/2026/02/dmarc-report-7001.jpg)

## What is the Cyber Essentials Mark Certification?

_The Cyber Essentials Mark Certification is a cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) to help organisations build strong basic cyber protection_. It is primarily designed for businesses seeking a clear, practical starting point for improving cybersecurity, especially small and medium-sized organisations that may not have large security teams.

In simple terms, the certification focuses on essential cyber hygiene. This includes implementing basic safeguards such as malware protection, secure system configurations, access controls, incident response plans, and **data protection practices**. The idea is not to achieve advanced enterprise-level **security** immediately, but to ensure organisations have the right fundamentals in place to defend against common cyberattacks.

The certification process usually involves a self-assessment followed by verification by an independent assessor appointed by CSA. Once approved, organisations receive the Cyber Essentials Mark as proof that they meet the required **security standards**.

_The certification is valid for two years, after which organisations must renew it to maintain their certified status and ensure their security practices remain up to date as threats evolve_.

## What is DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an [email authentication](/resources/email-authentication) protocol that helps protect domains from email spoofing, phishing, and impersonation attacks. DMARC works with two existing email security standards, SPF and DKIM, to verify whether an email was sent from the domain it claims to originate from.

[![spf, dkim & dmarc](https://media.mailhop.org/duocircle/images/2026/02/SMTP-providers-7002.jpg)](https://media.mailhop.org/duocircle/images/2026/02/SMTP-providers-7002.jpg)

In simple terms, DMARC tells receiving [mail servers](https://www.cloudflare.com/learning/email-security/what-is-a-mail-server/) how to handle emails that fail authentication checks. It also gives domain owners visibility into how their emails are being used by **sending detailed reports**. This makes it easier for organisations to control their email ecosystem and reduce fraud.

DMARC is important because email remains one of the most common entry points for cyberattacks. Without **proper authentication**, attackers can easily send fake emails pretending to be trusted brands or businesses. DMARC helps receiving servers identify these illegitimate messages and prevents them from reaching inboxes.

## How does DMARC work

First, a domain owner **publishes a DMARC policy** in their [DNS records](https://www.cloudflare.com/learning/dns/dns-records/). When an email is received, the receiving mail server checks SPF and DKIM to verify authenticity. DMARC then checks whether at least one of these authentication results aligns with the domain shown in the “From” address. _Based on the domain owner’s policy, the receiver decides how to handle the message_.

[![none](https://media.mailhop.org/duocircle/images/2026/02/Office-365-migration-7003.jpg)](https://media.mailhop.org/duocircle/images/2026/02/Office-365-migration-7003.jpg)

If the message passes DMARC, it is delivered normally to the inbox. If it fails, the policy defines the next action.

- The ‘none’ policy allows the email, but **records it for monitoring**.
- The ‘quarantine’ policy sends the email to spam or junk folders.
- The ‘reject’ policy blocks the email completely, so it never reaches the recipient.

Another important feature of DMARC is reporting. Receiving servers send feedback reports to domain owners, helping them monitor authentication results and improve their email security over time. This continuous **visibility allows organisations** to strengthen protection while maintaining legitimate email delivery.

## How DMARC contributes to email security

_Email threats rarely begin with complex hacking techniques. Most attacks start with simple impersonation attempts that look trustworthy enough for someone to click_. DMARC strengthens email security by giving domain owners control over how their emails are verified and how [suspicious messages](https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html) are handled across the internet.

### Prevents domain spoofing

_DMARC helps stop attackers from sending emails that appear to come from your domain_. By requiring authentication checks through [SPF](/resources/what-is-spf) and DKIM, it ensures only approved senders can **use your domain name**. This reduces fake emails that try to trick customers, employees, or partners.

### Reduces phishing risks

Phishing emails often rely on brand impersonation to gain trust. DMARC allows domain owners to instruct receiving mail servers to **quarantine or reject** unauthenticated messages. This limits the number of fraudulent emails reaching inboxes, reducing the likelihood that users will be targeted by [phishing scams](https://www.cybersecuritydive.com/news/mobile-phishing-risks-lookout/752824/).

### Improves email deliverability

When a domain uses DMARC correctly, mailbox providers see it as more trustworthy. Authenticated emails are more likely to reach inboxes instead of spam folders. This helps businesses maintain consistent communication while **improving sender reputation** and overall email performance.

[![dmarc mandatory](https://media.mailhop.org/duocircle/images/2026/02/dkim-selector-4128.jpg)](https://media.mailhop.org/duocircle/images/2026/02/dkim-selector-4128.jpg)

### Gives visibility through reports

DMARC provides detailed reports from **receiving mail servers** showing which emails pass or fail authentication. _These reports help organisations understand who is sending emails on their behalf, identify misuse, and fix configuration issues before they become larger security problems_.

### Supports compliance and security standards

Many modern cybersecurity frameworks now expect strong email authentication practices. Implementing DMARC helps organisations align with security requirements and demonstrate responsible **email management**. It shows that the organisation is actively working to reduce common cyber risks.

### Builds trust with customers and partners

When [spoofed emails](https://www.infosecurity-magazine.com/news/infosec2025-email-domains-spoofing/) are blocked, customers receive fewer fake messages pretending to be your brand. This protects your reputation and builds confidence in your communications. Over time, consistent email authentication helps strengthen trust between businesses and their audiences.

[![trust](https://media.mailhop.org/duocircle/images/2026/02/smtp-service-7004.jpg)](https://media.mailhop.org/duocircle/images/2026/02/smtp-service-7004.jpg)

## Practical steps to meet this requirement

To meet CSA’s Cyber Essentials DMARC requirements, organisations should follow a few simple steps:

### Publish a DMARC record in DNS

Start by adding a DMARC record with a monitoring policy (p=none). This allows you to collect data and understand your [email traffic](https://emailanalytics.com/email-traffic/) without affecting email delivery.

### Set up SPF and DKIM

Make sure your SPF record includes all approved email sending services. Enable [DKIM](/email-hosting/what-is-dkim-and-why-you-should-use-it-to-secure-your-email/) signing so ensure outgoing emails are verified and trusted by receiving servers.

[![publish record](https://media.mailhop.org/duocircle/images/2026/02/spf-permerror-7005.jpg)](https://media.mailhop.org/duocircle/images/2026/02/spf-permerror-7005.jpg)

### Move towards stronger enforcement

Once your email setup is stable and properly configured, gradually update your DMARC policy to a stricter level, such as **p=quarantine or p=reject** to better [block suspicious emails](https://www.bleepingcomputer.com/news/microsoft/microsoft-anti-phishing-rules-mistakenly-blocked-emails-teams-messages/).

### Review DMARC reports regularly

**Check aggregate and forensic reports** to see how your emails are performing. These reports help you identify unauthorised senders and improve your authentication settings over time.

## Final words

The inclusion of DMARC as a mandatory requirement for **Cyber Essentials Mark Certification** underscores the importance of email security in modern cybersecurity frameworks. Since email remains one of the most common attack vectors, organisations can no longer rely on basic filters alone to stay protected.

By implementing DMARC along with SPF and DKIM, businesses gain stronger protection against [spoofing and phishing](https://www.msspalert.com/brief/novel-usps-spoofing-phishing-attack-relies-on-malicious-pdfs) while improving email trust and deliverability. More importantly, they demonstrate that their security practices align with current standards and real-world threats.

_For organisations pursuing the Cyber Essentials Mark, this requirement should not be seen as just another compliance task_. It is an opportunity to build a stronger security foundation, protect brand reputation, and create safer communication for employees, customers, and partners. Starting early, monitoring regularly, and moving toward enforcement will make the **certification journey** smoother and far more effective in the long run.

[Reach out to the DuoCircle team](/contact) to get started with SPF, DKIM, and DMARC.

## Topics

cyber securityDMARCemail securitySecurityspfSPF record 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 17m  SPF Record Generator: Create Accurate SPF Records for Email Authentication  Apr 1, 2025 ](/blog/dmarc/spf-record-generator-create-accurate-spf-records-for-email-authentication/)[  DMARC 7m  Cloudflare’s new SPF, DKIM, and DMARC requirements  Jul 18, 2025 ](/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/)[  DMARC 5m  DMARC is now mandatory in New Zealand: Here’s what the NZ government expects  Jul 9, 2025 ](/blog/dmarc/dmarc-mandatory-new-zealand-nz-government-email-security-requirements/)[  DMARC 6m  How can the finance sector leverage DMARC to defend against email fraud?  Aug 20, 2025 ](/blog/dmarc/how-finance-sector-leverages-dmarc-to-defend-against-email-fraud/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA","description":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA.","url":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/","datePublished":"2026-02-20T18:21:27.000Z","dateModified":"2026-02-23T15:20:36.000Z","dateCreated":"2026-02-20T18:21:27.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/"},"articleSection":"dmarc","keywords":"cyber security, DMARC, email security, Security, spf, SPF record","wordCount":1291,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/02/email-smtp-service-5327.jpg","caption":"DMARC is now mandatory","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA","item":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA","item":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA","description":"DMARC is now mandatory for Cyber Essentials Mark Certification from CSA.","url":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/","datePublished":"2026-02-20T18:21:27.000Z","dateModified":"2026-02-23T15:20:36.000Z","dateCreated":"2026-02-20T18:21:27.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-mandatory-cyber-essentials-mark-certification-csa-new-requirements-update/"},"articleSection":"dmarc","keywords":"cyber security, DMARC, email security, Security, spf, SPF record","wordCount":1291,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/02/email-smtp-service-5327.jpg","caption":"DMARC is now mandatory","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```