How to fix “PCI DSS 4.0.1 · 5.4.1” from compliance

Your QSA or acquiring bank asks how you “detect and protect personnel against phishing attacks” under PCI DSS requirement 5.4.1 — and your email domain has no DMARC, or sits at p=none.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

PCI DSS v4.0's requirement 5.4.1 became mandatory on 31 March 2025: entities handling cardholder data must have processes and automated mechanisms against phishing. The requirement text doesn't name specific technologies, but the PCI SSC's own guidance lists DMARC, SPF and DKIM as example anti-spoofing controls — and assessors routinely expect them on domains involved in cardholder communications.

How to fix it

Step 1. Publish SPF, DKIM and DMARC for every domain your business sends from — the free check below shows current gaps.
Step 2. Move the DMARC policy to enforcement: a p=none record is monitoring, not the “protection” the requirement describes.
Step 3. Keep evidence: continuous report monitoring is exactly the kind of “automated mechanism” assessors ask to see running.
Step 4. Pair the technical control with staff awareness training — 5.4.1 spans both the technical and human layers.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →