FK
FK94Security
Security TipSeptember 12, 20247 min read

DMARC Explained: Why Your Business Email Is Probably Not Protected

If you have not configured DMARC, anyone can send emails as your company. Here is what DMARC is, why it matters, and how to set it up in 30 minutes.

Here is a question that surprises most business owners: can someone send an email that looks like it comes from your company domain, lands in inboxes, and is virtually indistinguishable from a real email? If you have not configured DMARC, the answer is yes.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving email servers what to do when they get a message claiming to be from your domain. Without DMARC, there is no policy: the receiving server has to guess whether the email is legitimate.

DMARC builds on two existing protocols:

  • SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of your domain.
  • DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to emails that proves they were not tampered with in transit.

DMARC ties them together with a policy that says: "If an email fails both SPF and DKIM checks, do X." Where X can be nothing (monitor only), quarantine (send to spam), or reject (block entirely).

Why this matters for your business

Without DMARC, an attacker can:

  • Send phishing emails to your clients that appear to come from your domain
  • Send fake invoices from your "accounting department" with different bank details
  • Impersonate your CEO to trick employees into transferring money or sharing credentials
  • Damage your brand reputation when your domain shows up in spam and phishing campaigns

These are not hypothetical scenarios. Email spoofing is one of the most common attack vectors in business email compromise (BEC), which cost businesses $2.7 billion in 2023 according to the FBI.

How to check your current status

You can check your DMARC status for free using our DNS Scanner tool, or any online DMARC checker. Look up the TXT record for _dmarc.yourdomain.com. If no record exists, you have no DMARC protection.

How to implement DMARC

The implementation follows three phases:

  1. Start with monitoring (p=none): Add a DMARC record with policy "none" and a reporting address. This lets you see who is sending email as your domain without blocking anything. Run this for 2-4 weeks.
  2. Move to quarantine (p=quarantine): Once you have confirmed that all legitimate senders pass SPF/DKIM checks, change the policy to quarantine. Spoofed emails go to spam.
  3. Enforce reject (p=reject): The final step. Spoofed emails are blocked entirely. Your domain is now protected.

Common mistakes

  • Jumping straight to reject: If your SPF or DKIM is not configured correctly, you will block your own legitimate emails.
  • Forgetting third-party senders: If you use services like Mailchimp, HubSpot, or Google Workspace, they need to be included in your SPF record and configured with DKIM.
  • Never moving past monitoring: Many organizations set p=none and forget about it. Monitoring without enforcement provides no protection.

DMARC is free to implement, takes about 30 minutes of DNS configuration, and is one of the highest-impact security improvements any business can make. If you have not done it yet, start today.

Need help with this?

If this article raised concerns about your own security, or if you need personalized guidance, book a 1:1 session with FK94 Security.

Book a 1:1 Session

Related articles

Security Tip

Me hackearon WhatsApp: guia completa para recuperar tu cuenta y protegerte

12 min read

Security Tip

5 Privacy Settings You Should Change on iPhone Right Now

5 min read

Security Tip

Passkeys Are Here: What You Need to Know

7 min read

← Back to all articles

Get in touch

EmailRequest Audit