The attestation your buyers demand tests the email controls most SMBs skip.
SOC 2 and DMARC. For b2b software and service providers whose customers require a soc 2 report.
the transmission-protection criterion where email authentication is a control auditors recognize.
01
What SOC 2 actually tests
SOC 2 is not a checklist you pass. It is an attestation report in which an independent auditor examines your controls against the AICPA Trust Services Criteria. The Security category, the Common Criteria, is always in scope, and within it the controls that protect your system boundaries and secure data in transmission are examined directly. Email, one of the channels data moves through, has to be defensible.
There is no line in the criteria that says publish DMARC. But when an auditor asks how you keep your domain from being used to phish your staff and customers, and how you protect the authenticity of mail in transit, email authentication is the answer most organizations give, and the one they can evidence.
02
Where DMARC fits
DMARC, SPF and DKIM are the recognized controls for authenticating email and preventing domain spoofing. They map onto the boundary-protection and transmission criteria (CC6.6 and CC6.7), and they come with something auditors particularly value: aggregate reports, a continuous and timestamped record that the control is actually operating.
For a Type II report, which tests that controls operated effectively across a period rather than at a single moment, that trail matters. A DMARC record sitting at enforcement with months of clean aggregate reports is close to ideal evidence: a control that is not merely configured, but demonstrably working.
03
Where monitoring stops short
A DMARC record at p=none is a control that reports but does not protect: spoofed mail in your domain's name still reaches inboxes. An auditor assessing whether the control actually mitigates the risk will note the difference. Reaching p=quarantine and then p=reject turns a documented intention into a control that measurably works, which is what a SOC 2 examination is looking for. Authex takes the domain to enforcement and holds it there, aggregate-report trail included.
New to the distinction? Monitoring vs enforcement, the full breakdown.
04
Common questions
Does SOC 2 require DMARC?
No. SOC 2 does not name DMARC or any specific technology; it examines your controls against the AICPA Trust Services Criteria. DMARC, SPF and DKIM are the recognized email-authentication controls organizations use to evidence protection against domain spoofing and to secure mail in transit, so in practice they are what an auditor looks for on the email channel, even though the criteria never name them.
Which Trust Services Criteria does email authentication support?
Primarily the Common Criteria for logical access and boundary protection (CC6.6) and for securing data in transmission (CC6.7). Email authentication helps ensure that mail claiming to come from your domain genuinely does, protecting both your boundaries against spoofing and the authenticity of messages in transit. It is a control you point to under Security, the category every SOC 2 must include.
Why is DMARC good SOC 2 evidence?
Because it produces a continuous audit trail. DMARC aggregate reports arrive daily and are timestamped, so a domain at enforcement generates ongoing proof that the control is operating, which is exactly what a Type II report tests over its observation period. A configured and enforcing DMARC record with months of clean reports evidences a control that is demonstrably working, not merely present.
Meet the requirement, and actually be protected.
Scan your domain to see where it stands today, then let Authex take it to enforcement and keep it there.