DMARC for SOC 2 auditors

SOC 2 auditors do not care that you “use email.” They care about controls, evidence, and the gap between the two. DMARC is the most-asked-about email-security control in the Common Criteria framework, and the easiest one to fail on the evidence side rather than the control side.

The control vs. the evidence

The control is “Atalaia restricts unauthorized senders from spoofing our domains.” DMARC at p=quarantine (or stronger) plus aligned SPF/DKIM is the standard implementation. Most SMBs publish a p=none record and stop there. Auditors flag this two ways: (1) p=none is monitoring-only, not enforcement, so it does not implement the control as documented; (2) without RUA reports, you cannot prove the control was effective during the audit window.

Evidence that ages well

A control that auditors trust shows up the same way for two years in a row. For DMARC that means:

1. The DNS record itself, captured monthly with a timestamp.
2. RUA aggregate reports stored, parseable, with retention policy documented.
3. A monthly summary that names every legitimate sending source, with disposition and trend.
4. A trail of policy changes (p=none → p=quarantine → p=reject) tied to the data that justified each step.

The first three look like “tooling.” The fourth looks like governance, and that is the bit auditors love.

What we ship for SOC 2

Atalaia generates the monthly PDF for you. It includes the record snapshot, the source classification, the disposition mix, and the policy-change trail. Drop it in your evidence folder, link it in the control matrix, and move on.