Skip to main content

Will your domain pass the PCI DSS 4.0 anti-phishing requirement?

PCI DSS 4.0 Requirement 5.4.1 made automated anti-phishing mechanisms mandatory as of 31 March 2025. Assessors expect to see SPF, DKIM, and DMARC in place. Check your domain in 30 seconds and walk into your assessment knowing exactly where you stand.

No signup. Read-only. Instant grade mapped to 5.4.1.

How the check works

  1. Read public DNS for SPF, DKIM, and DMARC.
  2. Map each control to Requirement 5.4.1 with per-control pass and fail plus an A to F grade.
  3. Produce a prioritized remediation list. Read-only.

What Requirement 5.4.1 requires

5.4.1 calls for processes and automated mechanisms to detect and protect against phishing. Awareness training alone is not sufficient, and the standard names DMARC, SPF, and DKIM. This is pass or fail, with no partial credit.

  • SPF valid. Assessors expect a valid SPF record as a named anti-phishing control under 5.4.1.
  • DKIM signing. DKIM is a named control and provides the cryptographic signature DMARC aligns against.
  • DMARC published and enforced. 5.4.1 expects a real, enforcing DMARC policy, not a placeholder p=none monitoring record.
  • Applied org-wide (every sending and spoofable domain). Assessors expect the controls on every domain that sends or could be spoofed, not just the primary.
  • Automated, not a quarterly manual check. The requirement specifies automated mechanisms, so a periodic manual check does not satisfy it.

What failing costs

  • × A failed or delayed assessment can hold up your Attestation of Compliance.
  • × Remediation runs under the assessor's clock.
  • × Real phishing exposure stays open in the meantime.
  • × Repeat scrutiny lands on you next cycle.

Frequently asked

Does PCI require DMARC?

Requirement 5.4.1 requires automated anti-phishing mechanisms and names DMARC, SPF, and DKIM as the expected controls. So while the requirement is about anti-phishing mechanisms, DMARC is what assessors expect to see.

Is 5.4.1 in effect now?

Yes. It became mandatory on 31 March 2025.

Can I use this as audit evidence?

The scan produces a dated record mapped to 5.4.1. Whether it counts as evidence is your assessor's call, but it shows exactly where you stand going in.

Does the scan touch our systems?

No. It reads public DNS only and is fully read-only.

We have many domains.

The free scan covers one domain. Multi-domain coverage is a paid plan.

All controls pass. Are we done?

That is the email-authentication half. Lookalike domains are why we go beyond DMARC, and they are the impersonation route 5.4.1 is concerned with.

Know where you stand in 30 seconds

No signup. Read-only. Instant grade mapped to 5.4.1.

Run my free PCI scan