What is DMARC and why does your business email need it?

Here's something most business owners don't know: right now, anyone on the internet can send an email that appears to come from your domain. No hacking required. Just a mail server, your domain name in the "From" field, and the email lands in your client's inbox looking exactly like it came from you.

This is called email spoofing, and it's the foundation of a large percentage of business email compromise attacks. DMARC — along with SPF and DKIM — is how you close that gap. Here's how it works, in plain terms.

The problem: email was built without authentication

The core email protocols (SMTP, dating back to 1982) were designed for reliability, not security. There's no built-in verification that the person sending an email is who they claim to be. An attacker can set the "From" address to anything — including billing@yourcompany.com — and most mail servers will deliver it.

The result: your clients receive what looks like an invoice from you. Your suppliers receive what looks like a payment instruction change. These attacks don't require breaking into your systems. They just require exploiting trust in your domain name.

The fix: SPF, DKIM, and DMARC working together

These three DNS records work as a chain. You need all three for proper protection.

SPF: who is allowed to send email for your domain?

SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving mail server checks your SPF record: "Is this mail server on the approved list?"

This record says: "Only Google and SendGrid are authorised to send email for this domain. Everything else should be treated with suspicion (~all) or rejected (-all)."

SPF has one significant limitation: it only checks the envelope sender (the technical routing address), not the "From" address the user sees. Attackers can pass SPF while still spoofing the visible From address. That's where DKIM and DMARC come in.

DKIM: a cryptographic signature on your emails

DKIM (DomainKeys Identified Mail) adds a digital signature to every email sent from your authorised mail servers. The signature is created using a private key held by your mail server, and verified using a public key published in your DNS records.

When a receiving mail server gets an email claiming to be from your domain, it checks the DKIM signature. If the signature doesn't match — because the email was forged, or because the content was tampered with in transit — the check fails.

Unlike SPF, DKIM signs the visible "From" header. This makes it much harder to spoof.

DMARC: the policy that ties it all together

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that tells receiving mail servers what to do when SPF or DKIM checks fail — and asks them to send you reports about it.

The p= tag is your policy — what happens to emails that fail authentication:

The rua= tag tells mail servers where to send aggregate reports. These reports (sent daily by Gmail, Microsoft, Yahoo, and others) show you who is sending email claiming to be from your domain — including both your own legitimate senders and any spoofing attempts.

How to set it up

How do you know if you're protected right now?

You can check your current DNS configuration manually, or use a tool that checks it automatically. The three things to verify:

• An SPF record exists on your domain and includes all your authorised senders
• DKIM is enabled and publishing a valid public key for your mail selector
• A DMARC record exists at _dmarc.yourdomain.com with a policy of quarantine or reject

Many businesses have SPF set up but no DMARC — which means the policy is effectively "do nothing with failures." Without DMARC, SPF and DKIM provide visibility but no enforcement.