DMARC for healthcare — does HIPAA require SPF, DKIM & DMARC?

You need to know whether HIPAA actually requires DMARC (or SPF/DKIM), or whether it's just “best practice,” before you spend time on it.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

HIPAA does not name DMARC, SPF or DKIM anywhere in its text. But the Security Rule's technical safeguards — integrity and transmission security of electronic protected health information — make them the practical, expected tools for stopping email impersonation of a covered entity. The gap between “expected” and “done” is large: a Valimail study of 928 healthcare companies with revenue over $300M found only 121 (13%) had adopted DMARC at all, and just 1.7% enforce it (quarantine or reject). So the honest answer is: not required by name, but a de-facto standard that almost no one has actually turned on. Source: HIPAA Journal (Valimail data) · rule text: HHS HIPAA Security Rule · verified 2026-07-18.

What to do about it

Step 1. Treat DMARC as the technical safeguard HIPAA implies rather than one it names — that's how assessors read it.
Step 2. Publish SPF, DKIM and DMARC for every domain that sends patient or partner communications.
Step 3. Don't stop at monitoring: 1.7% enforcement is the sector's real weakness — plan the path to p=reject.
Step 4. Start with the free check below to see where your domain sits today (record present, aligned, enforcing?).

Frequently asked

Does my sector legally require DMARC by name?

Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.

Will publishing DMARC block our own staff or member email?

No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.

We're small and have no IT team — is this realistic?

Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →