If you have ever paid an invoice that “felt a bit off”, you already understand the problem with email. It looks official, it arrives at the right moment, and it nudges a busy person to act quickly.
Attackers love that. They do not need to break into your systems if they can simply borrow your name.
That is where DMARC comes in. It is one of those security controls that sounds like a dusty acronym, yet it solves a very human problem: “How do we prove an email is really from us?”
The scam that keeps finance teams up at night
Domain spoofing is the email version of a fake badge. The attacker does not need access to your mailbox. They send a message that looks like it came from your domain and rely on the recipient’s trust.
In many organisations, the first damage is internal. A colleague gets a “quick request” from the MD. A supplier “updates” their bank details. A customer replies with sensitive information because the email thread looks familiar.
Training helps, but spoofing removes some of the obvious tells. A good DMARC setup adds a technical backstop so the dodgy emails do not even reach the inbox.
If you want the wider context on how phishing and payment fraud show up across different attack types, our breakdown in Top 5 Cyber Risks Faced by Businesses and How to Solve Them is a useful companion.
DMARC in plain English
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Ignore the mouthful and focus on the job:
- SPF says which servers are allowed to send email for your domain.
- DKIM adds a cryptographic signature so receivers can verify the message was not altered.
- DMARC checks SPF and DKIM results and tells the receiver what to do when they do not line up.
A helpful mental model is “door staff”. SPF is the guest list, DKIM is the stamp on your hand, and DMARC is the policy that says “let them in, send them to the side, or turn them away”.
A TechRadar Pro piece published in August 2025 makes a similar point, and highlights how few domains actually reach full enforcement: What is DMARC and why it could prevent your organization from being hacked by cybercriminals.
Your domain is part of your brand
Your domain name is a trust badge. It sits on invoices, proposals, onboarding emails, password resets, and all the little “can you just…” messages that keep work moving.
When attackers spoof your domain, they are borrowing your reputation. Clients rarely separate “your email was spoofed” from “your business is careless”. They just remember that something went wrong and it involved your name.
Why DMARC gets stuck at ‘p=none’
Many organisations publish a DMARC record and stop there. They set the policy to “none” so they can collect reports. Then months pass. The reports are noisy. Nobody has time to read them. The policy never moves.
Often the blocker is discovery. You start the work and keep finding forgotten senders: marketing tools, invoicing platforms, old ticketing software, even the office printer that still emails scans.
Fortra’s analysis of the top 10 million internet domains in its Q2 2025 research gives a sobering snapshot of how often email authentication is missing or misconfigured, even at scale: Global DMARC Adoption Trends in Q2 2025.
A simple DMARC rollout that does not wreck deliverability
The fear is understandable: “If we turn this on, will we block our own emails?” The answer is: not if you take it in stages and test properly.
Here is a practical rollout that fits most UK small businesses.
Step 1: inventory your senders
List every service that sends email as your domain. Typical examples:
- Microsoft 365 or Google Workspace
- Mail marketing platforms
- CRM and ticketing systems
- Accounting and invoicing tools
- Website contact forms
- HR and recruitment tools
You are trying to answer one question: “Which systems send mail using our domain in the From address?”
Step 2: get SPF and DKIM into a sane state
SPF should include the right sending services and avoid “anything goes” settings. DKIM should be enabled for the platforms that support it.
Aim for “most legitimate mail passes authentication”, then refine.
Step 3: publish DMARC with reporting
Start with a DMARC policy of “none” and point aggregate reports to an address you can access. This is your visibility stage.
At this point, you are not blocking anything. You are collecting evidence.
Step 4: tighten gradually
Move to “quarantine” for a small percentage of mail, then increase. When you are comfortable, step up to “reject”.
This gradual approach keeps business-as-usual running, and it forces you to fix the odd forgotten sender before it becomes a crisis.
The part people forget: the finance process
DMARC reduces spoofing, but it does not fix weak payment controls. In many invoice fraud cases, the attacker does not need perfect spoofing. They only need a moment of confusion.
Align DMARC work with a couple of low-effort finance checks:
- Bank detail changes must be verified via a known phone number, not the email thread.
- Urgent payments need a second approver, even if the message looks like it came from the boss.
- New suppliers should have a simple onboarding checklist, including who is allowed to authorise them.
If you have cyber insurance, these process controls matter. Policies often look at “reasonable steps” and basic governance before paying out. Our guide on Cybersecurity Insurance: Is Your Business Covered? explains the common coverage areas and the sorts of questions insurers ask after an incident.
What good looks like after 30 days
A month after starting DMARC work, you should be able to say:
- We know which services send email as our domain.
- SPF and DKIM are in place for our core platforms.
- DMARC reports are being reviewed, even if only weekly.
- We have moved off “none”, or we have a date to do so.
You do not need a security operations centre. You need ownership. One named person who can chase the odd vendor and keep the project moving.
Troubleshooting the usual blockers
“Our marketing emails keep failing”
This is often a DKIM issue or a third-party sending service using a domain you did not expect. The fix is normally configuration, not giving up.
“The reports are unreadable”
They are. Most are XML, and reading raw DMARC reports is like reading a tax return in binary. Use a DMARC reporting tool or a managed service so you can see trends, not spaghetti.
“We have multiple domains”
Start with the one customers see most, usually your main brand domain. Then roll the same pattern out to secondary domains, especially anything used for finance or senior staff.
“We do not send email from this domain”
DMARC still helps. Attackers can spoof domains that do not send mail, and receivers may still accept it. Publishing a reject policy for a “non-sending” domain can be a quick win once you confirm nothing legitimate uses it.
Help Net Security covered this point in a short September 2025 piece on DMARC adoption, noting that domains can be abused whether they send mail or not: The state of DMARC adoption: What 10M domains reveal.
A quick case study: the invoice that never arrived
A small professional services firm gets a call from a long-term client. “We paid last week. Can you confirm you received it?”
The finance lead checks the bank account. Nothing.
It turns out the client received an email that looked like the firm’s usual invoice reminder. Same signature, same tone, and the domain looked right at a glance. The only difference was the bank details in the footer.
The firm did two things after the dust settled. First, they tightened their payment change process and made call-backs non-negotiable. Second, they implemented DMARC properly, so that any future spoofed email claiming to be them had a far higher chance of being blocked before it landed.
That is the real value of DMARC. It is not a silver bullet. It is a seatbelt. You will be grateful it is there when someone else runs a red light.
Bringing DMARC into the monthly routine
DMARC is not “set and forget”. New tools get added. Staff sign up for services. Vendors change how they send mail.
A light monthly check is usually enough:
- Review DMARC reports for new senders.
- Confirm new platforms have DKIM enabled.
- Check SPF has not grown into a fragile mess.
Ten minutes a month beats a frantic week after an invoice fraud incident.
Where to start if you are busy
If your team is stretched, pick one action you can do this week:
- Ask your IT partner what your DMARC policy is set to.
- Request a list of known third-party email senders for your domain.
- Confirm DKIM is enabled in your mail platform.
- Put a call-back rule in place for bank detail changes.
Small steps add up quickly, and DMARC is one of the few changes that can reduce impersonation risk without relying on a perfect human moment.
If you want help auditing your email setup, mapping your senders, and moving safely to a stronger DMARC policy, the Mustard IT team can support you.
Contact us to discuss a practical rollout that keeps your emails flowing and makes spoofing a much harder job for attackers.
