Skip to content
← All compliance guidesUnderwriting requirements

Cyber Insurance & DMARC — What Underwriters Ask in 2026

Business email compromise drives roughly half of cyber-insurance claims, and underwriters have responded: email-authentication questions now appear directly on major carriers’ applications. If your renewal is coming up, your DMARC posture is part of the price you’ll pay — get it in order before you fill in the questionnaire.

At a glance

Any organization applying for or renewing cyber-liability coverage — especially where the application includes email-security or ransomware supplemental questionnaires.

Why insurers careCoalition reports BEC and social engineering account for roughly half of cyber claims; the FBI has documented $50B+ in BEC losses over the past decade
Who asks explicitlyBeazley’s cyber applications ask which protocols authenticate the sender and content of email, naming SPF, DKIM, and DMARC
Policy level referencedDMARC at p=quarantine or stricter is the bar application guidance references — p=none is monitoring, not protection
Premium impactIndustry advisories cite 5–15% premium reductions for strong email authentication (no carrier publishes a guaranteed discount)
Risk of weak answersCan affect premiums, coverage terms, or insurability — and inaccurate answers risk claim disputes

Facts and citations verified July 13, 2026. Regulations change — confirm current details with the sources below.

What’s actually on the applications

Cyber-insurance questionnaires have become technically specific. Beazley’s cyber applications — publicly available on its site — ask applicants which protocols they use to authenticate the sender and content of email, listing SPF, DKIM, and DMARC by name, with related guidance pointing at enforcement policies (p=quarantine or stricter) rather than monitor-only records. Other major carriers include email-authentication and anti-phishing control questions in their applications and ransomware supplementals.

Coalition, one of the largest cyber-insurance providers, publishes guidance walking policyholders through SPF, DKIM, and DMARC — because business email compromise and social engineering account for roughly half of the claims it sees. Insurers price what causes losses, and email impersonation is at the top of that list.

There is no universal “DMARC or no coverage” rule — carriers differ, and many treat email authentication as one factor among several. But the direction is one-way: each renewal cycle, the questions get more specific and the answers matter more.

How weak email authentication shows up at renewal

Your postureTypical underwriting outcome
No SPF/DKIM/DMARCFlagged control gap — higher premiums, added exclusions, or declined applications at some carriers
DMARC at p=none onlyCounts as monitoring, not protection; application guidance references p=quarantine or stricter
DMARC enforced (p=quarantine/p=reject)Answers the questionnaire cleanly; industry advisories associate strong email auth with 5–15% premium reductions

Outcomes vary by carrier, broker, and your overall control set — email authentication is one input among several. Premium-reduction figures are industry-advisory estimates, not carrier-published guarantees. Answer questionnaires accurately: misstated controls can jeopardize claims.

Getting enforcement-ready before your renewal

The questionnaire answer underwriters want to see isn’t “we have a DMARC record” — it’s “our domains are at p=quarantine or p=reject, and we monitor the reports.” Getting there safely takes a few weeks of monitoring: publish DMARC at p=none with aggregate reporting, identify every legitimate service sending as your domain, fix each one’s SPF/DKIM alignment, then step up to enforcement.

DDMARC compresses that cycle: readable aggregate reports show exactly which senders fail alignment, a policy simulator previews what quarantine or reject would have blocked before you commit, and continuous DNS monitoring alerts you if a record breaks after you’ve attested to it on an application.

Keep the evidence, too. Dashboards, alert history, and DNS-check logs document that the control you claimed on the application is actually operating — useful for renewals, audits, and if a claim ever gets scrutinized.

Your compliance checklist

  1. 1

    Pull your carrier’s application or renewal questionnaire

    Find the email-security and ransomware-supplemental questions so you know exactly what you’ll attest to.

  2. 2

    Check your current posture

    A free scan shows where every domain stands on DMARC, SPF, and DKIM. Check your domain

  3. 3

    Fix authentication on every legitimate sender

    Third-party platforms (CRM, payroll, marketing) must pass SPF or DKIM aligned to your domain, or enforcement will block them. DMARC setup guide

  4. 4

    Reach p=quarantine or p=reject before you sign

    Use aggregate reports (and DDMARC’s policy simulator) to confirm enforcement won’t break real mail, then step up. Policy guide: none vs. reject

  5. 5

    Document and monitor continuously

    Keep dashboards and DNS-monitoring alerts as evidence the control stays live year-round — not just on application day.

Start with step one — see where your domain stands in 30 seconds.

Run the free check
FAQ

Cyber insurance & DMARC — FAQ

Is your domain compliant?

Check your DMARC, SPF, and DKIM posture free — then reach enforcement with readable reports, a policy simulator, and continuous monitoring.