Anti-phishing controls became mandatory on 31 March 2025.
PCI DSS 4.0 and DMARC — organizations that store, process, or transmit cardholder data.
the anti-phishing requirement that stopped being best-practice and became mandatory.
01
What Requirement 5.4.1 says
PCI DSS version 4.0 introduced Requirement 5.4.1: organizations must implement processes and automated mechanisms to detect and protect personnel against phishing attacks. It was published as a future-dated best practice and became mandatory on 31 March 2025.
Crucially, the requirement is explicit that security-awareness training alone does not satisfy it. Auditors expect a technical, automated control — not just a policy that staff should be careful.
02
Where DMARC fits
PCI DSS does not name DMARC as a hard mandate. But the anti-spoofing controls auditors look to in order to satisfy 5.4.1 are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). The current standard (v4.0.1) references DMARC as a recognized best practice for meeting the anti-phishing intent.
In practice this means DMARC is the control most organizations use to evidence 5.4.1 compliance for their email domains. Having it configured and aligned is what an assessor will expect to see.
03
Where monitoring stops short
A DMARC record at p=none demonstrates intent but provides no enforcement — spoofed mail in your domain's name is still delivered. To stand up as a genuine anti-phishing control rather than a checkbox, the policy needs to reach enforcement and stay there. Authex takes the domain to p=reject and holds it, so the control you are evidencing is one that actually works.
04
Common questions
Does PCI DSS 4.0 require DMARC?
Not by name. Requirement 5.4.1 mandates automated mechanisms to detect and protect personnel against phishing, mandatory since 31 March 2025. DMARC, along with SPF and DKIM, is the recognized anti-spoofing control auditors look for to satisfy it — so in practice it is how most organizations meet the requirement for their email domains.
When did Requirement 5.4.1 become mandatory?
31 March 2025. Before that date it was a future-dated best practice under PCI DSS 4.0; from that date the formerly best-practice requirements became mandatory for assessments.
Is security awareness training enough for 5.4.1?
No. The requirement is explicit that training alone does not satisfy it — an automated, technical mechanism is needed. Email authentication controls (DMARC/SPF/DKIM) are the recognized way to evidence that for your sending domains.
Meet the requirement — and actually be protected.
Scan your domain to see where it stands today, then let Authex take it to enforcement and keep it there.