Email Security

Stop attackers from impersonating
your business

Without the right DNS records in place, anyone can send email pretending to be you. W3IT configures SPF, DKIM and DMARC to protect your domain — so your brand cannot be weaponised against your own customers.

Protect My Domain See how it works
94% of phishing attacks target email
£1,000+ average cost per successful phishing incident
3 records SPF, DKIM, DMARC — the full shield

We configure and monitor these exact records for our own domain. W3IT's own email is protected by SPF, DKIM and a DMARC reject policy — tested under real conditions before we deploy it for clients.

The Problem

Your domain is already a target

Email is the most impersonated attack surface in cybersecurity. Without the right records, your business name and domain can be used against you — and you will never know it is happening.

  • Email impersonation Attackers send emails appearing to come from your domain to defraud your customers, suppliers or staff — with no technical barrier to stop them.
  • Business Email Compromise Fraudsters impersonate directors or finance contacts to redirect payments. A spoofed invoice is indistinguishable from a real one without authentication records.
  • Staff phishing Your own employees receive convincing emails that appear to be from your company, harvesting credentials or authorising transactions.
  • Domain reputation damage If your domain is used in phishing campaigns, major mail providers begin rejecting or filtering your legitimate email — damaging your ability to communicate.
1 in 5 small businesses have been targeted by email impersonation UK Government Cyber Security Breaches Survey
10 min is all DMARC setup takes — yet 70% of domains have none Global DMARC adoption data, 2024
How It Works

Five layers. Together they close the door on impersonation.

Each record plays a different role. SPF and DKIM establish identity and integrity. DMARC enforces the policy. Reporting gives you visibility. Monitoring keeps it that way.

1

Sender Verification (SPF)

DNS TXT record

An SPF record tells the world which mail servers are authorised to send email on behalf of your domain. Any server not on that list is considered unauthorised. Without SPF, any server anywhere can claim to be yours.

Blocks: spoofed emails from unauthorised servers using your domain
2

Email Signing (DKIM)

Cryptographic signature

DKIM adds a cryptographic signature to every email you send. The receiving mail server checks this signature against a public key published in your DNS. If the message was altered in transit — or forged entirely — the signature fails.

Blocks: message tampering in transit, forged email headers
3

Rejection Policy (DMARC)

Policy enforcement

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails both checks. Set to p=reject — the strongest policy — and any email that cannot prove it is legitimate is refused before it reaches an inbox. Many providers set DMARC to monitor-only and leave the door open. We do not.

Blocks: full domain impersonation, phishing emails using your brand identity
4

DMARC Reporting

Aggregate reports

DMARC generates daily aggregate reports showing every source that is sending email using your domain — including sources you did not know about. This catches misconfigured third-party tools (CRMs, marketing platforms, ticketing systems) before they cause deliverability problems, and flags unauthorised senders the moment they appear.

Blocks: silent abuse you would otherwise never discover
5

Ongoing Monitoring

Optional add-on

DNS records can be changed, accidentally deleted, or quietly weakened by a hosting provider during migrations and updates. Ongoing monitoring checks your SPF, DKIM and DMARC records continuously and sends an immediate alert if anything changes, is removed, or no longer resolves correctly. Your protection cannot be silently undone.

Blocks: record drift, accidental removal, silent weakening of your policy
Full Visibility

See exactly who is sending from your domain

DMARC reporting surfaces every sending source — legitimate and malicious. You get clear data on what is passing, what is failing, and what is being rejected on your behalf.

Email Security Dashboard — yourdomain.com
Last 30 days
2,841 Legitimate emails passed All authenticated
174 Spoofed attempts blocked Rejected at delivery
3 Sending sources monitored All authorised
30 Days since last incident Records intact
DNS record status
SPF v=spf1 include:_spf.google.com ~all
Active
DKIM google._domainkey — key verified
Active
DMARC p=reject; rua=mailto:[email protected]
Reject
Monitoring Continuous checks every 15 minutes
Active
Recent sending activity
Date Sending source SPF DKIM DMARC result Action
Today Google Workspace Pass Delivered
Today Marketing platform Pass Delivered
Today Unknown — 185.220.x.x Fail Rejected
Yesterday Unknown — 91.108.x.x Fail Rejected
Yesterday Google Workspace Pass Delivered
2 days ago Unknown — 196.x.x.x Fail Rejected

DMARC aggregate reports are reviewed as part of every managed setup. Monitoring add-on includes real-time alerts.

Our Guarantees

What we promise

Full configuration within one business day

SPF, DKIM and DMARC records are live on your domain within one working day of receiving the necessary DNS access. No waiting for a developer slot.

DMARC at reject policy — not just monitor

We configure DMARC to p=reject from the outset. Monitor-only policies leave your domain exposed. We close that door entirely.

Written confirmation of every record set

You receive a written summary of every DNS record we have configured, what each one does, and how to verify it — so you always have a clear record of what is protecting your domain.

Immediate alert if records are removed or changed

With the monitoring add-on, any change to your SPF, DKIM or DMARC records triggers an immediate notification. Your protection cannot be quietly undone.

What's Included

Everything your domain
needs to be protected.

W3IT handles the full DNS configuration, validates every record, and leaves you with written confirmation of exactly what has been set and why. No technical knowledge needed.

Talk to us about your domain
SPF record setup and validation Authorised sending sources identified, record written and verified to resolve correctly
DKIM key generation and DNS setup Cryptographic key pair generated and public key published to your DNS
DMARC policy configured to reject Enforcement set to p=reject — the strongest available policy, not monitor-only
Postmaster and reporting inbox configured Aggregate report delivery address set up so DMARC data is captured and reviewable
Written summary of all records set Plain-English document confirming every record, its purpose, and how to verify it
Optional: Ongoing monitoring and alerts Continuous record checks with immediate notification if anything changes or disappears

Is your domain protected?

Most small business domains have no DMARC policy at all — leaving them open to impersonation right now. Tell us your domain and we will check it for free, then have full protection in place within one business day.

Protect My Domain Free domain check
Chat with us