Australian Government DMARC Requirements

Email spoofing targeting government agencies is not a theoretical risk — it is a daily reality across Australian public sector networks. The Australian Signals Directorate (ASD) recognised this threat and embedded email authentication directly into the Essential Eight maturity model, the baseline cybersecurity framework for Commonwealth entities. If your organisation operates within the Australian government or handles government email, DMARC enforcement is not optional. It is a compliance requirement.

This guide explains where DMARC fits within the ASD Essential Eight and the Protective Security Policy Framework (PSPF), who must comply, and how to implement it correctly.

The ASD Essential Eight

The Essential Eight is a set of prioritised mitigation strategies developed by the ASD to help organisations protect against cybersecurity incidents. Originally published as the "Top 4" in 2011 and expanded to eight strategies in 2017, the framework has become the de facto cybersecurity standard for Australian government agencies.

The eight strategies are organised around three objectives: preventing cyberattacks, limiting the impact of attacks, and ensuring data availability. Email authentication falls under the first objective — preventing attacks before they reach users.

Specifically, the Essential Eight addresses email-based threats through the "configure Microsoft Office macro settings" and broader hardening guidance, but DMARC enforcement is captured under the ASD's complementary guidance on email security. The Australian Cyber Security Centre (ACSC), the operational arm of the ASD, explicitly recommends SPF, DKIM, and DMARC as essential controls for any organisation sending and receiving email on government domains.

The ASD Essential Eight maturity model operates across four levels: Maturity Level Zero (incomplete), Maturity Level One (partly aligned), Maturity Level Two (mostly aligned), and Maturity Level Three (fully aligned). DMARC enforcement at p=reject is expected at Maturity Level Two and above.

What the Requirement Says

The ASD's guidance on email security is direct. At Maturity Level Two and above, organisations must implement:

DMARC at p=reject — not p=none or p=quarantine, but full rejection of unauthenticated messages. This is the strongest enforcement policy, ensuring spoofed emails are blocked before reaching any recipient.
SPF hardened with -all — the SPF record must end with a hard fail mechanism, meaning any server not explicitly listed is rejected. Soft fail (~all) is not sufficient at this maturity level.
DKIM signing for all outbound email — every message leaving the organisation must carry a valid DKIM signature, providing cryptographic proof that the message was authorised and unaltered.

These three controls work together. SPF verifies the sending server, DKIM verifies the message content and origin, and DMARC ties them together with an enforcement policy and alignment requirements. Without all three properly configured, the email authentication chain has gaps that attackers can exploit.

A common mistake is publishing a DMARC record at p=none and treating it as compliant. For Australian government agencies targeting Maturity Level Two or Three, p=none is a monitoring phase — not an acceptable end state. Assessors expect to see p=reject in production.

The Protective Security Policy Framework (PSPF)

Beyond the Essential Eight, the PSPF establishes mandatory security requirements for Australian Government entities. Administered by the Attorney-General's Department, the PSPF covers governance, information security, personnel security, and physical security.

Under the PSPF's information security requirements, entities must protect official information and manage risks to government communication channels. Email authentication falls squarely within this scope. The PSPF directs agencies to implement technical controls that prevent unauthorised use of government domains — and DMARC is the primary mechanism for achieving this.

The PSPF also requires entities to report annually on their security posture. Agencies that have not implemented DMARC enforcement may find themselves flagged in these assessments, particularly as the government continues to raise the bar on cybersecurity maturity.

Who Must Comply

The scope of these requirements is broader than many organisations realise.

Commonwealth entities — all Australian Government departments and agencies are required to comply with the PSPF and are expected to align with the Essential Eight at a minimum of Maturity Level Two. This includes large departments like Defence, Home Affairs, and Services Australia, as well as smaller statutory bodies and commissions.

State and territory agencies — while the PSPF and Essential Eight are Commonwealth frameworks, many state and territory governments have adopted them as their own baseline. Agencies in New South Wales, Victoria, Queensland, and other jurisdictions increasingly reference the Essential Eight in their cybersecurity policies.

Contractors and service providers — organisations that handle government email, operate email infrastructure on behalf of agencies, or send email using government domains must meet the same authentication standards. If you are a managed service provider (MSP) or IT contractor working with government clients, DMARC enforcement is part of your obligation. For guidance on managing this across multiple clients, see our DMARC for MSPs guide.

Government-adjacent organisations — universities receiving government research funding, healthcare providers in government programmes, and NGOs administering government services may also fall within scope depending on their contractual obligations.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Implementation Steps

Moving from no DMARC to full enforcement requires a methodical approach. Rushing to p=reject without proper preparation risks blocking legitimate government communications. Here is the recommended path for Australian government agencies.

Assess your current maturity level

Determine where your organisation sits against the Essential Eight maturity model. If you have no DMARC record at all, you are at Maturity Level Zero for email authentication. Understanding your starting point helps you plan realistic timelines and allocate resources. Check your current records at dmarcrecordchecker.com.

Audit all domains

Government agencies often operate multiple domains — primary domains, legacy domains, campaign-specific domains, and subdomains for different services. Every domain that can send email must be accounted for. Do not forget parked or inactive domains, as attackers frequently spoof domains that have no authentication records at all.

Deploy DMARC in monitoring mode

Publish a DMARC record at p=none with reporting enabled (rua tag) on all domains. This allows you to collect aggregate reports showing who is sending email as your domain without affecting mail delivery. Monitor for at least four to six weeks to build a complete picture.

Authenticate all legitimate senders

Using the data from your DMARC reports, identify every legitimate sending source — your email gateway, marketing platforms, HR systems, helpdesk tools, and third-party services. Ensure each one is covered by your SPF record and configured with DKIM signing. Build your SPF record at spfcreator.com and generate DKIM keys at dkimcreator.com.

Move to enforcement

Once your reports show that all legitimate email passes DMARC checks, move to p=quarantine for a brief transition period, then to p=reject. Harden your SPF record to use -all instead of ~all. This is the configuration that satisfies Maturity Level Two and Three requirements.

Document for compliance assessment

Maintain records of your DMARC implementation journey — the initial audit, monitoring data, changes made, and the final enforcement configuration. PSPF reporting and Essential Eight assessments require evidence that controls are in place and actively managed, not just a DNS record.

The Broader Australian Context

The ASD and ACSC provide ongoing guidance beyond the Essential Eight framework. The ACSC's publications on email security hardening detail specific technical configurations for government environments, including recommendations for mail gateway settings, TLS enforcement, and DMARC aggregate report analysis.

For agencies operating under the .gov.au domain, there are additional considerations. The Digital Transformation Agency (DTA) manages the gov.au domain space, and agencies must ensure their DNS records — including SPF, DKIM, and DMARC — are correctly configured within this namespace. Misconfigured records on government domains carry reputational risk beyond the individual agency.

If your agency operates multiple subdomains under a primary .gov.au domain, consider publishing a DMARC record with sp=reject on the organisational domain to enforce policy on subdomains by default. This prevents attackers from spoofing subdomains that do not have their own DMARC records. See our guide on DMARC for subdomains for detailed configuration advice.

Lessons from the United Kingdom

Australia's approach to government DMARC requirements closely mirrors the model established by the United Kingdom's National Cyber Security Centre (NCSC). The UK mandated DMARC at p=reject for all government domains under the .gov.uk namespace and saw measurable results — a significant reduction in spoofed government emails reaching citizens.

The parallels are instructive. Both countries operate centralised cybersecurity agencies that issue binding guidance to government entities. Both frameworks treat DMARC enforcement as a non-negotiable baseline rather than a recommendation. And both have found that the monitoring-to-enforcement pathway works, provided agencies commit to the process and allocate sufficient time for the monitoring phase.

Australian agencies can learn from the UK experience: the organisations that struggled most were those that tried to skip the monitoring phase or underestimated the number of legitimate sending sources on their domains. A thorough audit and patient monitoring period are the keys to a smooth transition. For a detailed look at the UK requirements, see our guide on UK government DMARC requirements.

Act Now, Not at Assessment Time

The worst time to implement DMARC enforcement is the week before a compliance assessment. Email authentication requires time — time to discover all sending sources, time to monitor, time to fix misconfigurations, and time to validate that enforcement does not disrupt legitimate communications.

If your organisation is targeting Maturity Level Two or higher under the Essential Eight, DMARC at p=reject is a requirement you will need to meet. Starting the process now gives you the runway to do it properly and the evidence to demonstrate compliance when assessed. For a comprehensive walkthrough of DMARC fundamentals, see our complete guide to DMARC, and for configuration advice beyond the basics, review our DMARC best practices.

Monitor Your DMARC Record

You've configured DMARC for compliance — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Australian Government DMARC Requirements: ASD Essential Eight and How to Comply