Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Incident Response

What Is DMARC and Do I Need It?

Quick Answer

DMARC stops people spoofing your email domain. Without it, anyone can send emails that appear to come from your company. Yes, you need it.

Quick answer: DMARC stops people spoofing your email domain. Without it, anyone can send emails that appear to come from your company. Yes, you need it.

What DMARC Does

DMARC tells receiving email servers how to handle messages that claim to be from your domain but fail authentication checks.

Without DMARC: Anyone can send an email that looks like it's from [email protected]. Gmail, Outlook, and other providers have no way to know it's fake.

With DMARC: You publish a policy saying "if an email claims to be from our domain but fails authentication, reject it (or quarantine it, or flag it)."

Why This Matters

Your customers get phishing emails "from" you. Attackers spoof your domain to send convincing phishing emails to your customers, suppliers, and partners. They trust emails from your domain.

Your reputation suffers. When spoofed emails from "your" domain are used for scams, your domain reputation tanks. Your legitimate emails start hitting spam folders.

You look unprofessional. Security-conscious customers and partners check DMARC. No DMARC signals you don't take email security seriously.

How It Works (Simply)

DMARC builds on two other technologies:

SPF - Lists which servers are allowed to send email for your domain

DKIM - Adds a digital signature to emails proving they're genuine

DMARC - Tells receivers what to do when SPF or DKIM fail, and sends you reports about who's using your domain

Together, they prove emails genuinely came from you.

The Three DMARC Policies

p=none - Monitor only. Failed emails still get delivered. Use this to start, check reports, make sure legitimate email isn't affected.

p=quarantine - Failed emails go to spam. Getting stricter.

p=reject - Failed emails are blocked completely. Full protection. This is the goal.

Do You Need It?

Yes.

There's no good reason not to have DMARC. It's:

  • Free to implement
  • A DNS record, nothing to install
  • Expected by security-conscious organisations
  • Required by some compliance frameworks
  • Soon to be mandatory for bulk email senders (Google and Yahoo already enforce this)

Getting Started

Step 1: Check what you have now. Our domain health checker will tell you.

Step 2: Start with p=none to monitor without breaking anything.

Step 3: Review DMARC reports to understand who's sending email as your domain (legitimate services you forgot about will show up).

Step 4: Fix any legitimate senders that are failing authentication.

Step 5: Move to p=quarantine, then p=reject.

What We Do

We configure DMARC properly for all our managed clients—SPF, DKIM, and DMARC with a path to full enforcement.

We also help organisations who've tried to set it up themselves and broken their email in the process. It's more nuanced than it looks.

---

Want to check your email security? Use our free Domain Health Check or get in touch.

---

Related Questions