DMARC in South Africa

DMARC for South African businesses and service providers

South African organisations use the same global email-authentication standards as the rest of the world, but often rely on local IT providers, WISPs, MSPs and hosting partners to manage DNS and mail services. This guide explains a practical, provider-led path from assessment to ongoing monitoring.

Check a domain · For service providers

What DMARC can and cannot address

DMARC helps reduce successful exact-domain spoofing by checking SPF or DKIM alignment for the domain shown in the From address. It does not stop lookalike domains, compromised accounts, display-name deception, inbound spam or every form of email fraud.

Read what DMARC is and how it works.

Start with the systems that actually send email

List the organisation’s primary mail platform and every service that sends invoices, alerts, statements, marketing messages, support mail or application notifications. Include periodic services that may not appear in a single day of data. Confirm who controls DNS and who can enable DKIM inside each provider.

Use reports before stronger policy

Publish a valid monitoring record with an approved report destination, then review aggregate data across normal business cycles. Identify each legitimate source, correct authentication gaps and move policy only when the evidence supports the change. Keep a rollback path for unexpected delivery impact.

Work with the right operator

A South African service provider can help coordinate DNS access, mail-platform settings, customer communication and ongoing review. Vigil supports the managed-DMARC workflow for providers and organisations; exact commercial terms are handled privately.

This page does not provide legal advice and does not claim that DMARC creates or guarantees POPIA compliance. Email authentication is one technical control within a wider security and governance programme. The sourced technical perspective explains this boundary without turning DMARC into a legal requirement or compliance certificate.

Read the POPIA and DMARC technical perspective

FAQ

Is DMARC different for a .co.za domain?

The core protocol is the same. DNS delegation and policy discovery still need to be handled correctly for the domain’s place in the DNS hierarchy.

Can a local IT provider manage the process?

Yes, if the provider is authorised to work with the domain owner and can coordinate DNS, mail-platform settings, report review and policy decisions.

Does DMARC guarantee POPIA compliance?

No. This site makes no compliance guarantee. DMARC addresses a specific domain-authentication problem and is only one part of a broader programme.

Should we publish reject policy immediately?

Only when report evidence shows that legitimate sending sources are aligned and the operator has a safe change and rollback process.

Begin with the domain you control

Check the public DNS posture, then talk to Vigil about a managed workflow.

Check a domain · Contact Vigil