Is your email authentication ready for DORA?
DORA, the Digital Operational Resilience Act, requires financial entities to manage ICT risk and to use secure means of transferring data. Email authentication is one of the most basic and visible controls a supervisor will expect to see for the email channel. DORA applied from 17 January 2025. Check your domain in 30 seconds and see where you stand.
Straight talk on the law
An honest note: DORA does not name SPF, DKIM, or DMARC in its legal text. It is an ICT operational-resilience regulation that requires sound ICT risk management and secure means of transferring data. Email authentication supports those controls for the email channel and is the cheapest, most visible way to evidence them, which is why a supervisor will expect to see it. It does not by itself certify DORA compliance. We state this plainly because any overclaim is easy to catch.
How the check works
- Read public DNS for SPF, DKIM, and DMARC.
- Grade your email posture A to F with per-control pass and fail.
- Produce a prioritized list of fixes. Read-only.
What DORA expects for the email channel
DORA does not name email-authentication records, so this maps the standard practical controls a supervisor will look for to the ICT-risk and secure-data-transfer duties. Article 9 is the closest fit for the email channel.
- • SPF valid. A valid SPF record is a baseline technical measure for secure email transfer.
- • DKIM signing. DKIM signing protects the integrity and authenticity of email in transit.
- • DMARC published and enforced. An enforcing DMARC policy demonstrates the email channel is actively controlled, supporting Article 9.
- • Coverage across sending and brand domains. An operational-resilience narrative needs every spoofable domain covered, not just the primary.
- • Continuous monitoring in place. A control configured once and never watched is hard to defend under an ICT-risk review.
What failing costs
- × Supervisory findings against your ICT risk-management framework.
- × A weak operational-resilience narrative when the supervisor asks.
- × Personal accountability for the management body.
- × Real impersonation risk against the financial entity and its clients.
Frequently asked
Does DORA require DMARC?
Not by name. DORA does not name SPF, DKIM, or DMARC in its legal text. Email authentication is the standard way to support the ICT-risk and secure-data-transfer duties for the email channel, which is why a supervisor expects it.
When did DORA apply?
DORA applied from 17 January 2025. It is a regulation, so it applies directly across the EU without national transposition.
Does DORA apply to us?
DORA applies to a broad set of financial entities and to ICT third-party providers that serve them. Confirm your scope with your legal team, as the entity categories are specific.
Does the scan touch our infrastructure?
No. It reads public DNS only and is read-only.
Does this support our ICT risk documentation?
It produces a dated, structured posture record you can attach to your ICT risk-management evidence for the email channel.
Our DMARC is passing. Are we done?
That is the authentication half. Lookalike domains remain, and they are the impersonation route an operational-resilience review will ask about.
Know where you stand in 30 seconds
No signup. Read-only. Instant A to F posture grade.
Check my DORA readiness