You need to know whether HIPAA actually requires DMARC (or SPF/DKIM), or whether it's just “best practice,” before you spend time on it.
HIPAA does not name DMARC, SPF or DKIM anywhere in its text. But the Security Rule's technical safeguards — integrity and transmission security of electronic protected health information — make them the practical, expected tools for stopping email impersonation of a covered entity. The gap between “expected” and “done” is large: a Valimail study of 928 healthcare companies with revenue over $300M found only 121 (13%) had adopted DMARC at all, and just 1.7% enforce it (quarantine or reject). So the honest answer is: not required by name, but a de-facto standard that almost no one has actually turned on. Source: HIPAA Journal (Valimail data) · rule text: HHS HIPAA Security Rule · verified 2026-07-18.
p=reject.Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.
No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.
Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.