Law 25 and email security: what your business must do

Québec's Law 25 requires every business to protect the personal information it holds — and email is one of the main entry points for incidents. Here is the concrete link, without legal jargon.

In short: Law 25 requires "reasonable security measures". A domain without SPF/DMARC lets a fraudster email your customers in your name — exactly the kind of confidentiality incident the law requires you to prevent, then report. Securing your email and website is one of the simplest, cheapest measures available.

What Law 25 asks, in one sentence

Since September 2023, every business operating in Québec — whatever its size — must protect the personal information it holds with reasonable security measures, report confidentiality incidents that present a risk of serious injury, and designate a privacy officer.

The link with your email

A domain without protection (SPF, DKIM, DMARC) lets anyone send emails that appear to come from your company. Concretely: a fraudster writes to your customers "from you" to extract payments or personal information. That is a confidentiality incident under the law — with the reporting obligation and reputational risk that come with it.

Québec's privacy regulator (CAI) can impose significant administrative penalties. More importantly: demonstrating you had taken reasonable measures (like DMARC in "reject" mode) completely changes how an incident is assessed.

The link with your website

If your site collects any information at all (contact form, newsletter, orders), the law applies there too: HTTPS in practice mandatory, security headers to prevent script injection, a valid SSL certificate. A compromised site leaking customer data = a reportable incident.

Where to start (concrete measures)

  1. Check your current posture — our free check gives you a grade and the exact list of fixes in 15 seconds.
  2. Close the spoofing door — strict SPF, DKIM enabled, DMARC at "reject" (see our SPF/DKIM/DMARC guide).
  3. Secure the website — forced HTTPS, security headers, monitored certificate (see the website guide).
  4. Monitor continuously — protections degrade over time (expiring certificates, DNS changed by a provider). Automatic monitoring with alerts covers you without thinking about it.
  5. Document — keep a record of your checks: it is your proof of "reasonable measures".

This article is a plain-language summary, not legal advice. For your specific situation, consult a professional.

Check your setup for free

Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.

Run the free check
See also: the SPF, DKIM, DMARC guide, Microsoft 365, Google Workspace, securing your website.