For years, DMARC enforcement felt like an enterprise problem. Large organizations had the IT staff to navigate DNS configuration, aggregate reporting, and the careful source-discovery work required to move from p=none to p=reject without disrupting legitimate mail. Smaller organizations sat at p=none indefinitely, technically compliant with the minimum requirements from Google and Microsoft, but practically unprotected.
That picture is changing. The 2026 edition of the SMB1001 international cybersecurity standard — published by Dynamic Standards International and certifiable from January 2026 — now mandates DMARC enforcement for small and medium businesses seeking Gold certification. It is the first major international cybersecurity standard designed specifically for SMBs to draw a hard line between monitoring and protection.
What SMB1001 Is and Why It Matters
SMB1001 is a five-tier cybersecurity certification framework built for organizations that lack enterprise-scale security teams. Its tiers map roughly to increasing levels of operational maturity: Bronze covers foundational controls like firewalls and backups; Silver adds individual accounts and multi-factor authentication on email; Gold requires endpoint detection, a documented incident response plan, and — as of the 2026 update — verified DMARC enforcement; Platinum and Diamond layer in external audits, penetration testing, and formal supplier risk management.
The standard is internationally recognized and aligns explicitly with the UK’s Cyber Essentials, the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), and Australia’s Essential Eight. When a government contracting requirement or procurement process references one of those frameworks, SMB1001 certification satisfies the equivalent controls. That cross-recognition is a significant factor for smaller businesses operating in regulated sectors or government supply chains.
The 2026 edition included six substantive changes from the prior version. The first — and the one receiving the most attention from the security community — is the introduction of email authentication and anti-spoofing controls that explicitly require DMARC at enforcement level.
What the Standard Actually Requires
SMB1001:2026 introduces email authentication controls beginning at Level 2 (Silver) and tightens them at Level 3 (Gold) and above.
At Silver, the standard requires a valid SPF record that accurately lists all authorized sending sources for the domain.
At Gold, the requirements expand to include:
- DKIM signing: all outbound email must be signed with a DKIM key published in DNS
- A DMARC record with a policy of
p=quarantineorp=reject— notp=none - Alignment between the From header domain and the domain authenticated by SPF or DKIM
- A reporting address (
rua) specified in the DMARC record
The standard’s guidance is explicit about one critical point: organizations must not move to p=quarantine or p=reject until they have verified that all legitimate email streams are correctly authenticated. Rushing to enforcement before completing source discovery risks blocking outbound mail from CRM systems, transactional email services, marketing platforms, and other tools that send on behalf of the domain. The standard treats that verification work as a required step, not an optional precaution.
The Threat Context That Drove the Change
The SMB1001 update did not happen in a vacuum. The 2026 edition reflects a threat environment that has shifted significantly against smaller organizations.
The Verizon 2025 Data Breach Investigations Report found that ransomware appeared in 88% of SMB breaches and that small and medium businesses are targeted nearly four times more frequently than large enterprises. The economics of this targeting are straightforward: SMBs often maintain relationships with larger organizations through supply chains, professional services, and vendor networks. Compromising an SMB’s email identity — spoofing its domain to send phishing messages to the enterprise it serves — can yield much higher-value targets downstream.
EasyDMARC’s 2026 DMARC Adoption Report draws the contrast in sharp detail. Among Fortune 500 companies, 95% have DMARC, with more than 80% at enforcement level. Among Inc. 5000 companies — a reasonable proxy for large SMBs and growth-stage businesses — DMARC adoption sits at 76%, but only 15% have reached p=reject. Among smaller businesses with no external compliance pressure, the numbers are worse.
That gap between adoption and enforcement is precisely what attackers exploit. A domain with p=none announces to the world that it has DMARC awareness but no enforcement. Any email that claims to originate from that domain — no matter who actually sent it — will be delivered by receiving mail servers that honor the explicit instruction to take no action.
Why p=none Is Not Compliance
The confusion between having a DMARC record and being protected by DMARC is widespread. When Google and Microsoft set their bulk sender requirements, they required a DMARC record at p=none or higher. For many organizations, publishing p=none was the end of the project.
SMB1001:2026 explicitly rejects that position. The Gold tier requires p=quarantine or p=reject. The standard’s authors are clear that p=none is a monitoring phase, not a protection phase. Organizations at p=none are collecting data they may or may not be reading; they are not protecting their domain identity or their customers from impersonation.
The distinction matters practically. The EasyDMARC report found that more than half of all domains with a DMARC record remain at p=none. That means more than half of DMARC-enabled domains have done the paperwork for compliance while leaving the door open for spoofing. SMB1001:2026 closes that loophole for the organizations it governs.
The Path to Gold
For an SMB currently sitting at p=none — or with no DMARC record at all — the path to Gold certification under SMB1001:2026 is a sequence of verifiable steps:
Step 1: Inventory sending sources. List every system that sends email using your domain: your primary email provider, your ESP, your transactional email service, your CRM, your customer support platform, your accounting software, your HR system. Many organizations are surprised by how many sources exist.
Step 2: Authenticate each source. Ensure every source is included in your SPF record (within the 10-lookup limit) or is signing with DKIM using your domain. Subdomain senders should be handled either through SPF flattening or by using dedicated subdomains with their own DKIM keys.
Step 3: Verify with aggregate reports. Publish p=none with an rua reporting address and review the reports for two to four weeks. Reports will show every source sending mail that claims your domain and whether that source is passing or failing authentication. Any failing source is a legitimate stream that needs to be authenticated or a spoofing source that enforcement will block.
Step 4: Move to enforcement. Once aggregate reports show that all legitimate sources are passing, move to p=quarantine. Monitor for one to two weeks. If no legitimate mail is being misrouted, escalate to p=reject. At that point, unauthorized use of your domain identity is blocked at the receiving server before it ever reaches a recipient.
Step 5: Maintain ongoing visibility. DMARC configuration is not a one-time task. New sending sources — a newly deployed marketing tool, a vendor integration, a staff member using an unauthorized service — appear in aggregate reports and need to be addressed before they cause compliance drift.
The Broader Regulatory Signal
SMB1001:2026 joins a growing list of frameworks that now treat DMARC enforcement as a baseline security requirement. PCI DSS v4.0 requires it for any organization handling cardholder data. NIS2 and DORA in the European Union recognize email authentication as a required cybersecurity control. La Poste requires full authentication for all senders — not just bulk senders — delivering to its network. Google and Microsoft enforce authentication for high-volume senders.
The direction of regulatory travel is consistent: monitoring-only DMARC is no longer acceptable as a completed control. Organizations that have been treating p=none as the finish line are increasingly finding that regulators, certification bodies, and mailbox providers disagree.
For SMBs that have been watching enterprise organizations navigate this transition and wondering when it would reach them: the answer, with the publication of SMB1001:2026, is now.
Excello Mail makes the path from p=none to p=reject manageable for businesses of every size. Automated source discovery, aggregate report analysis, guided enforcement, and continuous monitoring — everything required to meet SMB1001:2026 Gold certification and keep it. Sign up free at excello.email →