SMB1001 2026 DMARC Requirements — What Australian Businesses Need to Know

SMB1001 and DMARC: What Changed in 2026

If you run an Australian business and care about cybersecurity — or if your clients, insurers, or partners require you to — you've probably heard of SMB1001. Published by Dynamic Standards International (DSI), SMB1001 is a cybersecurity framework designed specifically for Australian small and medium businesses.

In the 2026 update, SMB1001 made a significant change: DMARC email authentication is now required at Levels 2 and 3. Previously, email authentication was recommended but not mandatory. That's no longer the case.

This article explains what SMB1001 is, what the DMARC requirement means in practice, and how to check whether your domain is compliant right now.

What Is SMB1001?

SMB1001 is a tiered cybersecurity certification framework created by Dynamic Standards International. It provides Australian small and medium businesses with a practical, achievable path to better cybersecurity — without the complexity and cost of enterprise frameworks like ISO 27001 or the ACSC Essential Eight.

The framework has multiple levels:

• Level 1 (Bronze): Basic cyber hygiene — passwords, updates, backups
• Level 2 (Silver): Enhanced security controls including email authentication (DMARC, SPF, DKIM)
• Level 3 (Gold): Advanced security with ongoing monitoring and incident response

Many Australian businesses pursue SMB1001 certification because their clients require it, their cyber insurance providers recommend it, or they want to demonstrate a commitment to security when tendering for contracts.

What Changed in the 2026 Update

Prior to 2026, SMB1001 recommended that businesses implement email authentication but didn't make it a hard requirement. The 2026 update changed this: DMARC, SPF, and DKIM are now mandatory at Level 2 and above.

This change reflects the reality that email remains the primary attack vector for Australian businesses. The Australian Cyber Security Centre (ACSC) has long recommended DMARC implementation, and the major email providers — Google, Yahoo, and Microsoft — now require it for bulk senders.

The SMB1001 update aligns with this global shift. If your business is certified at Level 2 or Level 3, you must now have properly configured email authentication or risk losing your certification.

What Are DMARC, SPF, and DKIM?

These three protocols work together to prevent email spoofing — where someone sends emails pretending to be from your domain.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is legitimate.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your outgoing emails. The receiving server can verify this signature against a public key published in your DNS, confirming the message hasn't been tampered with in transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can see who is sending email using your domain — both legitimate services and potential spoofers.

Think of it this way: SPF checks who is sending, DKIM checks what was sent hasn't been altered, and DMARC decides what to do when those checks fail.

What Does "Compliant" Actually Mean?

Having a DMARC record isn't the same as being protected. DMARC has three policy levels:

• p=none — Monitor only. Emails that fail authentication are still delivered. This is a starting point, not an end goal.
• p=quarantine — Failing emails are sent to the recipient's spam folder.
• p=reject — Failing emails are blocked entirely. This is full protection.

For SMB1001 compliance, you need at minimum a published DMARC record with valid SPF and DKIM. However, a p=none policy means you're monitoring spoofing attempts but not preventing them. True protection requires progressing to p=quarantine or p=reject.

The ACSC recommends p=reject as the target policy for all Australian organisations.

How to Check If Your Domain Is Compliant

Checking your email authentication status is straightforward:

1. Use the DMARC Busta scanner — enter your domain name and get an instant report on your DMARC, SPF, and DKIM configuration.
2. Review your DMARC policy — is it p=none, p=quarantine, or p=reject?
3. Check your SPF record — does it list all your legitimate sending services (Microsoft 365, Google Workspace, your CRM, marketing tools)?
4. Verify DKIM — are your email services signing messages with DKIM?

If any of these are missing or misconfigured, your domain isn't compliant — and your emails may already be landing in spam or being rejected by major providers.

Why Jumping Straight to p=reject Is Dangerous

If your domain currently has no DMARC record, you might be tempted to publish p=reject immediately. Don't.

Most businesses use multiple services that send email on their behalf — your email platform, CRM, marketing tools, accounting software, helpdesk, and more. If any of these aren't properly authenticated with SPF and DKIM before you enforce a reject policy, their emails will be blocked.

The safe approach is:

1. Start with p=none to monitor who is sending email as your domain
2. Identify and authenticate all legitimate sending services
3. Progress to p=quarantine and monitor for issues
4. Move to p=reject once you're confident all legitimate email is authenticated

This progression typically takes 4–8 weeks when done manually. DMARC Busta's Autopilot automates this entire journey, making DNS changes automatically and progressing your policy only when it's safe to do so.

PCI DSS 4.0 Also Requires DMARC

SMB1001 isn't the only framework mandating email authentication. If your business processes credit card payments, PCI DSS 4.0 Requirement 5.4.1 now includes DMARC as part of anti-phishing controls.

This means Australian businesses that handle payments face compliance requirements from multiple directions — all pointing to the same conclusion: DMARC is no longer optional.

The Cost of Non-Compliance

Beyond losing your SMB1001 certification, failing to implement email authentication has real business consequences:

• Email deliverability — Google, Yahoo, and Microsoft now require DMARC for bulk senders. Without it, your business emails increasingly land in spam or get rejected entirely.
• Cyber insurance — many Australian cyber insurers are beginning to ask about email authentication as part of their risk assessment. Proper DMARC implementation can work in your favour when renewing or applying for coverage.
• Client trust — if your domain is spoofed and a client receives a phishing email "from" your business, the reputational damage can be significant. A p=reject DMARC policy prevents this.
• Supply chain requirements — larger organisations are increasingly requiring their suppliers and partners to demonstrate cybersecurity maturity. SMB1001 certification is one way to do this, and DMARC is now part of that certification.

Common Misconceptions About DMARC Compliance

"We don't send bulk email, so this doesn't apply to us"

SMB1001 applies to all email sent from your domain — not just marketing emails. Every invoice, proposal, support reply, and internal communication is affected. And the Google/Yahoo requirements affect all senders, with stricter rules for bulk senders.

"We already have an SPF record, so we're covered"

SPF alone is not sufficient. DMARC requires both SPF and DKIM to be configured, and the DMARC record itself must be published. Many businesses have a partial configuration that gives them a false sense of security.

"Our IT provider handles this"

It's worth verifying. Many IT providers configure email (Microsoft 365, Google Workspace) but don't set up DMARC. A quick scan of your domain will confirm whether DMARC is properly configured.

"We set up DMARC last year, so we're done"

DMARC is not a set-and-forget configuration. If you added new email services (a CRM, marketing tool, or helpdesk), those need to be authenticated too. And if your DMARC policy is still at p=none, you're monitoring spoofing without preventing it.

How DMARC Busta Automates Compliance

Getting to full DMARC enforcement manually is time-consuming and error-prone. You need to identify all sending services, configure SPF and DKIM for each one, monitor DMARC reports, and gradually tighten your policy — all without breaking legitimate email.

DMARC Busta's Autopilot handles this automatically:

• Automatic DNS changes — connects to your DNS provider (Cloudflare, cPanel, Route53) and makes changes directly
• AI-powered source identification — analyses DMARC reports and identifies legitimate sending services automatically
• Safe DMARC progression — moves from p=none to p=reject only when it's safe, with automatic rollback if issues are detected
• SPF optimisation — manages your SPF record to stay under the 10 DNS lookup limit
• Ongoing monitoring — detects anomalies and pauses automation if something unexpected happens

Whether you're managing one domain or hundreds, Autopilot keeps your email authentication compliant without manual intervention.

For MSPs: Managing Client Compliance at Scale

If you're a managed service provider responsible for your clients' cybersecurity, the SMB1001 DMARC requirement creates both a challenge and an opportunity. Your clients need email authentication configured and maintained — and they're looking to you to provide it.

DMARC Busta is built with MSPs in mind. Each client domain gets independent Autopilot management: different DNS providers, different sending profiles, different progression timelines. You manage everything from a single dashboard, with per-domain controls for pausing, adjusting, or overriding automation as needed.

This means you can offer DMARC compliance as a managed service — adding value for your clients while fulfilling their SMB1001 requirements without manual DNS management for every domain.

Next Steps

If your business is pursuing or maintaining SMB1001 certification, email authentication is no longer something you can defer. Here's what to do now:

1. Scan your domain to see your current DMARC, SPF, and DKIM status
2. Review the results — the scanner will tell you exactly what's missing or misconfigured
3. Get started with DMARC Busta — the free plan includes monitoring, and paid plans from $19/month include full Autopilot automation

For a broader view of DMARC adoption across Australian businesses, see our Australia DMARC Adoption Research Report. You can also read more about DMARC compliance requirements in Australia for 2026.