Skip to main content
EU · DORA

DORA ICT Email Control Mapper

Map your domain's DMARC, SPF, MTA-STS, TLS-RPT, and DNSSEC posture to DORA Articles 9, 10, and 11. Built for EU financial entities preparing for supervisor reviews under Regulation (EU) 2022/2554.

Why this matters

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has been in full effect across the EU financial sector since 17 January 2025. Every bank, insurer, investment firm, crypto-asset provider, and critical ICT third-party serving the FS sector must demonstrate the five ICT risk-management pillars listed in Article 6. Three of those pillars depend directly on email-authentication posture:

  • Article 9 — Protection & prevention: §2(a) names "protection and prevention measures" against unauthorised access — DMARC, SPF, and DKIM are the only DNS-borne controls that block sender impersonation at receiver edge. §3(c) requires cryptographic protection of data in transit (MTA-STS).
  • Article 10 — Detection: §1 requires mechanisms that promptly detect anomalous activities. TLS-RPT is the email-transport telemetry source supervisors look for.
  • Article 11 — Response & recovery: DMARC aggregate (rua) reports feed the §1 incident-response process with first-party evidence of authentication failures during a security event.

What the supervisor will ask

Under Article 5(3), management bodies of FS entities are accountable for the ICT risk-management framework. The standard supervisor question on email-auth is "show us the policy, show us the evidence, show us the monitoring." This tool produces the evidence layer. The policy and monitoring layers live on the paid tier — DMARC report ingestion, weekly compliance digests, alert routing for control drift.

DORA Article 9-11 cross-walk

ArticleRequirementEmail-auth control
Art. 9(2)(a)Protection & prevention against unauthorised accessDMARC + SPF + DKIM
Art. 9(3)(b)Integrity of dataDNSSEC (signed identity records)
Art. 9(3)(c)Cryptographic protection of data in transitMTA-STS enforce mode
Art. 10(1)Detection of anomalous activitiesTLS-RPT (transport-layer telemetry)
Art. 11(1)Response & recovery — incident processDMARC rua aggregate reports

Subcontractors and the ESP supply chain

Commission Delegated Regulation 2025/532 (RTS on ICT subcontracting) brings every CRITICAL third-party email provider into scope. If your firm sends customer mail through an ESP (Mailgun, SendGrid, Postmark, etc.), the ESP's SPF/DKIM posture is your control — auditors will follow the include chain. Use the SPF flattener to walk it and the DMARC report analyzer to confirm each subcontractor is signing the messages they send on your behalf.

What this tool does not cover

Article 6 lists five pillars: governance & organisation, ICT risk-management framework, ICT third-party risk management, digital operational resilience testing, and information & intelligence sharing. The email-auth check above evidences the technical sub-controls of the second pillar only. Use this scorecard as supporting evidence inside a DORA programme, not as the programme itself.

Read the complete EU · DORA guide to learn more.

Related Tools

DE · DORA DORA E-Mail-Sicherheitscheck Same scorecard, German copy with BaFin / MaRisk references. EU · NIS2 NIS2 Readiness Scorecard Broader scope: NIS2 Article 21 applies to non-FS sectors too. PCI DSS PCI § 5.4.1 Anti-Phishing Card-handling FS firms typically face PCI in parallel.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free