What is DMARC and how do I set it up for my business?
What is DMARC and what do you need to do to set it up in your business? If you’ve ever had a customer complain they received a convincing phishing email from an address that looked like yours, this is the solution you should be thinking about. Read on — plain English, no sysadmin lectern.
What DMARC actually is and why it matters for UK SMEs
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS policy that tells receiving mail servers what to do when a message claims to be from your domain but fails authentication checks. In short: it helps stop criminals pretending to be you in emails. That reduces successful phishing attempts, protects brand reputation and improves delivery rates for legitimate mail.
For small and medium businesses (10–200 staff) in the UK, the business case is straightforward. A spoofed invoice or payroll phishing attempt can cause direct financial loss, regulatory headaches and a dent in customer trust. Implementing DMARC doesn’t fix every vector, but it removes an easy and visible way attackers use your brand for their scams. The National Cyber Security Centre (NCSC) lists email authentication — SPF, DKIM and DMARC — as effective defences against domain spoofing, and it’s sensible to follow that advice as part of basic cyber hygiene (ncsc.gov.uk).
How to set up DMARC in your business (the practical stages)
Setting up DMARC is a small project, not a mystical rite. You’ll need someone with DNS access and knowledge of your email flows. The work breaks down into clear stages:
1) Take stock of domains and senders. Make a list of every domain you own, including marketing subdomains and any third-party services that send mail on your behalf (payment processors, HR platforms, CRMs, marketing platforms). Missing a sender is the common cause of legitimate mail being blocked.
2) Ensure SPF and DKIM are in place. DMARC relies on SPF (which lists allowed sending IPs) and DKIM (which cryptographically signs messages). If either is missing or misconfigured, DMARC won’t help. For many SMEs this means adding or adjusting DNS records and checking that each external service is included in your SPF or has DKIM setup.
3) Start with monitoring (p=none). Publish a DMARC DNS record that includes a reporting address and a policy of p=none. This doesn’t change delivery; it simply asks receivers to send you reports about emails that fail authentication. Expect a flood of XML reports at first. Use a simple report-parsing tool or service to turn that raw data into readable information about who is sending mail as your domain.
4) Analyse reports and fix legitimate senders. Use the monitoring phase to discover legitimate sources that are failing SPF/DKIM and correct them. This might mean adding SPF includes for a marketing platform, ensuring the platform signs with DKIM, or moving some mail to a central sending service. Continue until your legitimate sources are consistently authenticated.
5) Move to a restrictive policy gradually. When you’re confident genuine mail is authenticated, change p=none to p=quarantine for a few weeks — this tells receivers to put suspicious mail into spam folders. If results look clean and authorised senders remain untroubled, move to p=reject so non-authenticated mail is refused outright.
6) Maintain a reporting workflow. Keep an email address or a mailbox to receive aggregate reports (and optionally forensic reports) and review them regularly. Reporting helps you spot if a legitimate sender’s configuration breaks after a vendor change.
Managing DMARC without breaking business mail
The common worry is: will I accidentally block invoices or payroll emails? Yes — if you rush. That’s why the monitoring stage exists. Don’t rush to p=reject until you’ve had several weeks of clean reports and you’ve tested all third-party senders.
Be aware of tricky cases: marketing platforms that use mailing domains you don’t control, legacy systems on old servers, or services that send on behalf of your users. These require either technical tweaks (DKIM signing, SPF includes) or business decisions (move mail to a provider that supports modern authentication). Keep a short list of authorised senders and review it when you add a new service.
DMARC won’t stop all phishing. It focuses on domain spoofing; attackers can still use lookalike domains (slightly different spellings) or compromised accounts. But by removing the low-hanging fruit you make phishing campaigns less effective and raise the bar for attackers. That’s a measurable win: fewer incidents to investigate, less staff time lost to doubt, and fewer customers exposed to scams.
Budget and time: for most SMEs this is a one-to-two week project if you have DNS access and an IT person who knows your mail flows. If your setup is spread across many vendors, allow more time. The direct costs are usually minimal (potentially a subscription for a reporting parser or consultant time).
If you want to cite a formal authority when explaining this to your board or finance director, the NCSC page linked above is concise and relevant.
When to ask for help and the sensible next step
If your email setup is simple — one or two sending services and direct control of DNS — you can probably implement DMARC in-house with care. Ask for professional help if you run many third-party senders, have complex mail routing (hybrid on-prem/cloud), or you can’t spare the time to analyse reports. A short consultancy engagement can save weeks of disruption and get you to a p=reject policy faster, reducing the risk of phishing, protecting revenue and restoring customer trust. Organise a review of your senders and DNS, set monitoring in place, and aim for a staged policy change — that small investment buys time, money and calmer inboxes.
