General Data Protection Regulation
The GDPR (Regulation (EU) 2016/679) requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Article 32 specifically mandates encryption of personal data in transit and at rest. Email authentication protocols help fulfil the GDPR's security requirements by preventing unauthorised access to personal data through email spoofing, phishing, and man-in-the-middle attacks. While the GDPR does not prescribe specific technologies, supervisory authorities across the EU have referenced email authentication as part of baseline security expectations.
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Recommended | SPF helps meet Article 32's requirement for appropriate technical measures by preventing unauthorised servers from sending email using your domain. This reduces the risk of phishing attacks that lead to personal data breaches. |
| DMARC | Recommended | DMARC supports Article 32 compliance and helps prevent personal data breaches caused by domain spoofing. Several EU supervisory authorities, including the Dutch DPA (Autoriteit Persoonsgegevens), have highlighted DMARC as a recommended email security measure. |
| DKIM | Recommended | DKIM signing provides message integrity, supporting the GDPR's data integrity requirements under Article 5(1)(f). It ensures personal data transmitted via email has not been altered by unauthorized parties. |
| SSL/TLS | Required | Article 32(1)(a) explicitly references encryption as an appropriate technical measure. TLS encryption for email containing personal data is considered a baseline requirement by EU supervisory authorities and ENISA guidelines. |
| Security Headers | Recommended | Security headers protect web applications that process personal data from common attacks. Implementing headers like HSTS and CSP aligns with the GDPR's principle of data protection by design and by default (Article 25). |
| DNSSEC | Optional | DNSSEC adds a layer of DNS integrity protection but is not specifically referenced in GDPR guidance. It may be relevant for organisations processing large volumes of sensitive personal data where DNS hijacking poses a material risk. |
Configure all mail servers to use TLS 1.2 or higher. This directly satisfies Article 32(1)(a)'s encryption requirement. Verify that TLS is correctly configured using a domain security scan and address any weak cipher suites.
Publish SPF records authorising your legitimate email infrastructure. Enable DKIM signing on all outgoing mail. Deploy a DMARC policy to prevent domain spoofing that could facilitate phishing attacks leading to personal data breaches (which would require notification under Articles 33 and 34).
Apply HSTS, Content-Security-Policy, X-Frame-Options, and other security headers to all web applications that process personal data. This supports the data protection by design principle in Article 25.
Include your email authentication and encryption controls in the documentation required under Article 30 (records of processing activities). Describe the specific technical measures implemented and their purpose.
If your organisation processes sensitive personal data via email, conduct a DPIA (Article 35) that evaluates the risks and documents how email authentication controls mitigate those risks. Include scan results as supporting evidence.
Set up domain monitoring to detect email authentication failures that could indicate an attempted or successful attack. Under Article 33, personal data breaches must be reported to the supervisory authority within 72 hours, making early detection critical.
Use Domain Security Scanner reports as evidence for your GDPR audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against GDPR requirements.
The GDPR does not mandate DMARC by name. However, Article 32 requires "appropriate technical measures" for security, and multiple EU supervisory authorities have cited email authentication as a baseline expectation. The Dutch DPA has specifically recommended DMARC, and ENISA (the EU Agency for Cybersecurity) includes it in its email security guidelines. Failing to implement DMARC could be viewed as inadequate security, particularly if a phishing-related breach occurs.
The key articles are: Article 5(1)(f) (integrity and confidentiality principle), Article 25 (data protection by design and by default), Article 32 (security of processing, including encryption), Articles 33-34 (breach notification, which email authentication helps prevent), and Article 83 (administrative fines for security failures). Together, these create a strong obligation to secure email communications containing personal data.
Directly, no. But if inadequate email security contributes to a personal data breach, supervisory authorities can impose fines under Article 83(4) for violations of Article 32 (up to 10 million EUR or 2% of annual worldwide turnover). Several enforcement actions have cited insufficient technical measures after phishing-related breaches. Proactive email authentication significantly reduces this risk.