SMB1001 includes DMARC for Risk Management
What is SMB1001?
A layered, international cybersecurity certification standard for small and medium-sized businesses (SMB), SMB1001 is developed and hosted by Dynamic Standards International (DSI), formerly Cyber Security Certification Australia.
SMB1001 bridges the gap between an urgent need for better cybersecurity in the SMB sector and finding the middle ground between entry level standards like the Australian Signal Directorate’s Essential Eight 8 and the prohibitive complexity or cost of traditional, enterprise-focused standards.
SMB1001 is a multi-tiered cybersecurity certification standard. This standard comprises five tiers that support an organization in their journey of developing their cyber security hygiene from Bronze to Gold tier. SMB1001 has been mapped to and aligns with existing guidelines, frameworks and standards. This means that SMBs who begin working towards complying with SMB1001 will be also starting their journey towards complying with the mapped-to guidelines, frameworks, and standards.
—DSI
Its multi-tiered approach allows a business to start at an appropriate level based on its current resources and maturity, and then gradually advance, building on previous efforts.
SMB1001 Strengthened with DMARC Addition
First released in 2023, SMB1001 quickly gained recognition, expanding into international markets and citing increased demand for the framework from SMBs in regions like the Americas, Singapore, New Zealand and the South Pacific. Its Steering Committee includes stakeholders from both private and public sector, including the Australian Signals Directorate (ASD) and the Cyber Security Agency of Singapore (CSA).
The release of SMB1001:2026 in September 2025 has seen the introduction of Email Authentication and Anti-Spoofing controls. These are introduced at Level 2, and are reinforced from Level 3 onwards.
Level 2
SPF: Publish a valid SPF record in DNS specifying all authorized email-sending services.
Level 3
DKIM: Enable DKIM signing on all outbound email using 1024-bit (minimum) or 2048-bit keys
DMARC: Publish a DMARC policy in DNS with a reporting address
DMARC policy: set to p=reject or p=quarantine (not p=none). Ensure alignment with both SPF and DKIM.
Looking at the numbers in the Australian Cyber Security Centre Annual Cyber Threat Report 2024-2025, we can begin to understand why the steering committee added DMARC to the standard. Email compromise and identity fraud top the self-reported cybercrime threat with an average cost of $56,000 AUD for small businesses.
How can dmarcian help MSPs and SMBs achieve SMB1001 compliance?
After being recognised by major email providers in 2024 and 2025, DSI has acknowledged the effectiveness of DMARC as a control to mitigate phishing. SMB owners and their customers may not have the awareness to detect fraudulent emails, making DMARC a perfect supplement, working in the background to stop any unnauthorised emails at the DNS before they can reach your inbox.
Managed Service Providers (MSPs) will play a crucial role in helping SMBs successfully implement the SMB1001 framework. Historically positioned as outsourced providers of information technology support, MSPs are now increasingly viewed and engaged as indispensable partners in the strategic management of cybersecurity risk.
dmarcian is positioned to help both MSPs and SMBs comply with SMB1001:2026 framework by providing support from email experts and a leading DMARC Management Platform that helps domain owners protect their domains from impersonisation and phishing. For SMBs who outsource their IT functions, dmarcian has a network of MSPs who can deploy and manage their DMARC project.
Want to continue the conversation? Head over to the dmarcian Forum.
