Teaser only. This is not the full article. Complete Article 21 checklist with evidence artifacts: NIS2 Email Security Checklist (2026)
The auditor asks how you secure email transmission. You slide over a 2022 SPF screenshot. They ask for DMARC aggregate reports from the last 90 days. Silence.
NIS2 Article 21 does not name SPF in the directive text. EU assessors still map transmission security to authenticated mail, transport policies, DNS integrity, and provable monitoring. Essential and important entities across member states hit this question early in 2026 reviews.
Minimum records to inventory before your next assessment:
dig example.com TXT +short | grep spf
dig _dmarc.example.com TXT +short
SPF alone is not a program. Neither is p=none without review.
In the full post on zerohook.org:
- Full DNS and monitoring checklist for Article 21
- Evidence artifacts auditors request (not policy PDFs)
- MTA-STS, TLS-RPT, and DNSSEC mapping
- Fine exposure vs. compliance cost context
Read the full guide: NIS2 Email Security Checklist (2026)
Top comments (0)