What is DMARC and will it affect your business?

Even as tools like Teams, Meet and Zoom continue to rise in usage, email remains a core part of business communication. Emails are the standard for sending and receiving invoices, contracts, login links and sensitive updates.

Spoofing is a huge risk to business email. This is where someone sends emails that appears to come from your domain to trick people into clicking links or sharing information. DMARC significantly reduces the risks posed by spoofing.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email security standard that lets you tell receiving mail systems what to do with messages that claim to come from your domain but fail security checks.

DMARC works with two other email authentication methods – SPF and DKIM:

• SPF defines which servers are allowed to send email for your domain
• DKIM confirms that an email has not been altered after it was sent

Together, these controls help protect your domain from impersonation and improve trust in your email.

 

Why DMARC matters for businesses

When DMARC is enabled, you receive regular reports showing:

• Which servers and services send email on behalf of your domain
• Whether those messages pass or fail authentication
• How receiving systems handle failed email

This visibility helps you identify misconfigured systems, forgotten tools and unauthorised senders.

From a business and operational perspective, DMARC helps to:

• Protect your brand from phishing and impersonation
• Reduce the risk of staff or clients being targeted by fake emails
• Improve email deliverability and trust
• Align with requirements from providers like Google and Yahoo for bulk senders

 

The DMARC states you should understand

A DMARC record includes a policy that tells receiving mail systems what to do if an email fails authentication. There are three common policies, plus the absence of DMARC entirely.

 

No DMARC record

If your domain does not have a DMARC record, receiving mail systems receive no instructions from you. This means:

• Spoofed email may be delivered as if it were legitimate
• You receive no DMARC reports
• You have no visibility or control over failed messages

This is the weakest security position.
In practical terms, it is like having a closed but unlocked front door. Unfortunately, anyone can claim to send email from your business.

 

DMARC set to none (p=none)

A policy of p=none tells receiving systems not to block or divert failed messages. Instead, you are asking them to send reports.
You receive DMARC reports showing:

• Which services send email for your domain
• Whether messages pass SPF and DKIM checks
• How receivers treat failed messages

What this means for your business

• Email delivery continues as normal
• You gain visibility into real sending behaviour
• Problems can be fixed without disrupting users

When to use p=none

• You are setting up DMARC for the first time
• You want to understand legitimate email flows
• You want to avoid blocking real email

Protection at this stage is limited. You are monitoring rather than enforcing.

 

Quarantine (p=quarantine)

A p=quarantine policy tells receiving systems to treat failed email as suspicious.
Depending on the recipient’s mail platform, this may mean:

• Messages go to spam folders
• Warnings are added
• Mail is flagged for review

Most messages are still delivered, but not directly to the inbox. This reduces the likelihood of harmful interaction.
Quarantine is best seen as a safety net rather than a final step.

 

Reject (p=reject)

A p=reject policy tells receiving systems not to deliver email that fails DMARC at all.
This means:

• Unauthenticated email is blocked
• Failed messages never reach inboxes or spam folders
• Some senders may receive a bounce message

Reject provides the strongest protection, but it should only be used once all legitimate sending services are correctly authenticated.
Most organisations move through policies in stages: none, then quarantine, then reject.

 

Common DMARC mistakes to avoid

These are some of the most common issues seen when organisations set up DMARC.

• Leaving DMARC at p=none permanently

Monitoring is useful, but p=none does not stop spoofing. Leaving DMARC in this state for months or years provides insight but little protection.

• Missing SPF or DKIM alignment

DMARC relies on SPF and DKIM being correctly configured. If one or both are missing or misaligned, legitimate email may fail DMARC checks.

• Forgetting third-party senders

Marketing platforms, CRM systems, ticketing tools and survey services often send email on your behalf. If these are not included in SPF or configured with DKIM, messages may fail.

• Moving to reject too quickly

Switching to p=reject without reviewing reports can block real email. This often affects lesser-known services that were not identified during monitoring.

• Ignoring DMARC reports

DMARC reports provide early warnings of misconfiguration and abuse. Not reviewing them means problems can go unnoticed.

 

How Google recommends you approach DMARC

Google’s Workspace guidance recommends enabling DMARC reporting and reviewing reports regularly before tightening policies.

This staged approach helps you understand sending behaviour and avoid disrupting legitimate email as you move from none to quarantine or reject.

 

Practical next steps for operations teams

1. Check whether your domain has a DMARC record
2. Start with p=none to gain visibility
3. Review DMARC reports consistently
4. Fix SPF and DKIM issues as they appear
5. Move to quarantine and then reject when ready

When implemented properly, DMARC strengthens email trust, protects your domain from impersonation and reduces the risk of phishing attacks affecting your business.

Need a hand? Book a call with a Cubit IT expert.

Unsure where you stand? Request a free domain check today.