You may have heard that you need SPF and DKIM records to protect your email domain. Both matter. But without DMARC, those protections are incomplete — and criminals know it.

DMARC is the policy that makes email authentication actually work. Without it, even a domain with SPF and DKIM in place can still be used to send convincing phishing emails to your customers, partners, and suppliers.

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a DNS record — published on your domain — that tells receiving mail servers what to do when an email fails SPF or DKIM checks.

You have three policy options:

  • p=none — Monitor only. Emails that fail authentication are still delivered, but you receive daily reports about what is happening.
  • p=quarantine — Emails that fail authentication are sent to the recipient’s junk folder.
  • p=reject — Emails that fail authentication are blocked entirely and never reach the inbox.

Most businesses that have a DMARC record are set to p=none, which means they have monitoring but no actual protection. Setting a DMARC record is the first step; getting it to reject is the destination.

What Happens Without DMARC?

Without DMARC, even if you have SPF and DKIM configured, a criminal can craft an email where the visible From address displays your domain. SPF checks the sending server; DKIM signs the message body. But neither of those checks necessarily validates the From address your recipient actually sees. DMARC is what ties those checks to that visible address.

In practice, this means:

Impersonation attacks become trivial. A fraudster registers a different domain, sets it up properly, and sends an email that displays your domain in the From field. Without DMARC on your domain, many email systems accept and deliver it without question.

Your brand becomes a liability. If criminals regularly send phishing emails that appear to come from you, your customers lose trust in your communications — and your legitimate emails start hitting spam folders as your sending reputation degrades.

How the UK Government Proved DMARC Works

In 2020, the NCSC launched the Active Cyber Defence programme and published DMARC records for all UK government domains at p=reject. The results were striking.

HMRC had been one of the most impersonated brands in the UK for years. After implementing DMARC at rejection level, the volume of spoofed HMRC emails reportedly dropped by hundreds of millions annually. That same protection — at no cost — is available to every UK business.

The FBI’s IC3 reports that Business Email Compromise caused over $2.9 billion in losses globally in 2023. Action Fraud records thousands of BEC cases in the UK each year, with individual losses often reaching tens of thousands of pounds per incident.

The Reporting Benefit You Are Probably Missing

One underused feature of DMARC is reporting. When you set a DMARC record — even at p=none — you receive daily email reports showing who is sending email on behalf of your domain, which sends are passing authentication, and which are failing.

This alone has practical value. Many businesses discover through DMARC reports that third-party services they had forgotten about — old CRMs, legacy mailing systems, invoicing platforms — are still sending email from their domain without proper SPF or DKIM.

What to Do Next

  • Check whether you have a DMARC record. Use any DNS lookup tool or W3IT’s free security check.
  • Start with p=none. If you have no DMARC at all, begin here. You will be able to see what is happening without the risk of blocking legitimate emails.
  • Review the reports. Use a DMARC reporting tool (many are free) to make sense of the raw XML. Identify all legitimate email sources for your domain.
  • Ensure those sources pass SPF and DKIM. Work through any legitimate senders that are failing authentication.
  • Move to p=reject gradually. Once confident that all legitimate email is passing, tighten your policy from none to quarantine, then to reject. Only reject actually blocks fraudulent emails.
  • Set sp=reject for subdomains. If you do not send email from subdomains, add sp=reject to your DMARC record to prevent criminals registering lookalike subdomains.

DMARC is not a five-minute job if done properly — but publishing a p=none record takes minutes. Most businesses have not done even that.

W3IT’s free security check will tell you instantly whether your domain has a DMARC record and what policy it is set to. It is free, requires no login, and takes seconds — and it is one of the most important things you can do for your email security today.