Your brand is a weapon. If you let it be.

Imagine your biggest customer receives an invoice from your email address. The sender name, the domain, the email format — all look legitimate. The invoice is for £8,500. The bank details have been quietly changed.

Your customer pays. You did not send that email. You have never heard of that bank account. This is Business Email Compromise (BEC) — and the mechanism that makes it possible is almost always the same: a domain with no DMARC record.

SPF, DKIM, DMARC: explained in plain English

SPF
Sender Policy Framework
A DNS record that lists which servers are allowed to send email from your domain. Anything else can be flagged as suspicious.
DKIM
DomainKeys Identified Mail
Adds a cryptographic signature to outgoing emails so the recipient can verify the email genuinely came from your server.
DMARC
Domain-based Message Authentication
The policy layer that ties SPF and DKIM together — telling mail servers what to do when an email fails checks: nothing, quarantine, or reject.

"Email spoofing attacks have become industrialised. Criminal groups run automated services that identify domains without DMARC records and immediately target them for Business Email Compromise campaigns."

— KPMG UK, Cyber Fraud Report, 2025

How attackers exploit a domain with no DMARC

1
Attacker identifies your domain (your-business.co.uk) and checks DNS records
2
They find no DMARC record, or one set to p=none (monitoring only, no enforcement)
3
They configure their mail server to send emails with your domain in the From header
4
They send an invoice, a password reset, or a wire transfer request to your customers or suppliers
5
Receiving mail servers accept the email because there is no enforcement policy rejecting it
6
Your customer acts on it, assuming it is genuine. The attack required no access to your systems whatsoever.
67% of UK business domains we audit have no effective DMARC enforcement ProtectPatch data, 2025–2026

How to fix your email security: a plain-English guide

Step 1: Check what you currently have

Go to mxtoolbox.com and run a check on your domain. It will show your current SPF, DKIM, and DMARC configuration and flag any issues. Takes two minutes.

Step 2: Set up or fix your SPF record

Your SPF record should list only the servers authorised to send email from your domain and end with -all (hard fail) or ~all (soft fail). Never use +all — it grants permission for any server to send from your domain.

Step 3: Implement DKIM

Your email provider (Google Workspace, Microsoft 365, etc.) will give you a DKIM public key to add as a DNS record. Most major providers have step-by-step guides for this.

Step 4: Add a DMARC record

Start with p=none to monitor how your email is performing, then move to p=quarantine and ultimately p=reject once you are confident your legitimate email is passing authentication checks.

Total implementation time

With a competent developer: 2–3 hours. Total cost: whatever your developer charges for 2–3 hours of DNS work. "DMARC at p=reject is one of the single highest-ROI security measures a small business can implement." — Deloitte UK, 2025

Key takeaways

  • Without DMARC enforcement, anyone can send emails impersonating your domain
  • Business Email Compromise costs UK businesses billions annually
  • 67% of UK domains we audit have no effective DMARC enforcement
  • SPF, DKIM, and DMARC can all be fixed via DNS changes — no code required
  • +all in your SPF record is as dangerous as no SPF record