Defaults.Exposed › Fixes › DMARC (Email Spoofing Protection)

How to fix DMARC (Email Spoofing Protection)

DMARC is the one setting that actually tells the world's mail providers to BLOCK emails that fake your business's name. SPF and DKIM check the locks; DMARC decides what happens when a forgery fails the check — bin it, flag it, or wave it through. Set wrong, your domain is fully forgeable; set right, impersonation stops at the inbox.

Bottom line for your business: Without DMARC enforcement, a criminal can send email that looks exactly like it came from your business — to your customers, staff and suppliers — and it lands in their inbox, not their spam. People get scammed in your name, and they blame you.

What this can cost you

A scammer emails your customer a real-looking invoice 'from your accounts team' with their own bank details. The customer pays it. You find out weeks later when they chase the goods they already paid for — and they hold you responsible.
A fake 'urgent payment' email goes to your own finance person, appearing to come from you, the owner. They wire the money before anyone thinks to double-check — and once it lands in a criminal's account, it's almost never recovered.
A big prospect's IT team runs a security check on your domain before signing. It comes back 'email not protected — can be spoofed.' You lose the deal to a competitor whose domain passed.
Your domain gets used in a phishing wave. Customers who were tricked leave angry reviews and warn others. The reputation damage outlasts the attack by months.
Even your genuine email starts getting junked, because Google and Yahoo increasingly distrust — and now sometimes reject — domains with no enforced DMARC.

Why it matters. Email was never built to prove who really sent it, so faking the 'from' address is trivial. DMARC is the only control that turns 'we can detect fakes' into 'fakes get blocked' — and it also gives you the daily reports that reveal who is sending mail as your brand. Big mailbox providers now treat a missing or unenforced DMARC policy as a trust signal against you, so this affects whether your own email is delivered too.

What DMARC is, in plain words

Email has a dirty secret: the “from” line is just typed-in text. Anyone, anywhere, can write your business name and address into the “from” field of an email and send it. The internet was never designed to stop them.

There are three settings that, together, fix this. Think of them as a building’s security:

SPF is a list of who’s allowed in the front door (which mail services may send as you).
DKIM is a tamper-proof seal that proves the message wasn’t altered in transit.
DMARC is the security guard who checks the list and the seal — and, crucially, decides what to do when they don’t match: let it through, send it to spam, or turn it away at the door.

You can have the list (SPF) and the seal (DKIM) and still have no guard. That’s the single most common and most dangerous situation: the locks exist, but nothing enforces them. DMARC is the enforcement. It’s the difference between “we can tell this email is fake” and “this fake email never reaches your customer.”

What this can cost you

This isn’t theoretical. Here are the concrete ways an unprotected domain turns into real money and real damage:

The fake-invoice scam. A criminal emails your customer what looks exactly like a genuine invoice from your accounts team — same name, same domain, professional layout — but with their own bank details. Because your domain isn’t enforced, it lands in the inbox, not spam. The customer pays. You discover it weeks later when they ask where their order is. The money is usually gone, and the customer often holds you responsible for the breach.
The CEO-fraud wire transfer. An email appears to come from you, the owner, to your finance person: “Can you push this payment through urgently, I’m in a meeting.” It looks completely real because it is your address — just forged. The payment goes out. This pattern — Business Email Compromise — is one of the costliest scams hitting small businesses, precisely because the email genuinely comes from your own domain, so it sails straight past suspicion.
The lost contract. A serious prospect runs a security or procurement check before signing. Their tooling reports your domain as “spoofable — no email authentication enforcement.” That single red flag can be enough to award the contract to a competitor whose domain passed. You never even hear the real reason.
The reputation hit you can’t undo. Your domain gets swept into a phishing campaign. Dozens of people who were tricked in your name post warnings and reviews. The attack lasts a week; the “is this company even safe?” question lingers for months.
Your own email going to spam. Google and Yahoo now actively distrust domains with no enforced DMARC. Quotes, invoices and replies that you genuinely sent start quietly landing in spam folders. Deals stall and you never find out why.

What it actually is (and what “good” looks like)

DMARC lives as a single line of text in your domain’s settings — a DNS “TXT” record published at the special name _dmarc.yourdomain. Inside it are a few short instructions. Two of them matter most, and they’re exactly the two things this assessment checks.

1. The policy (p=) — the guard’s orders. This is the heavily-weighted part of the check. It can be one of three things:

p=none — watch only. The guard notes who came through but stops nobody. This protects you against nothing; it’s a monitoring stage, not a finished setup. (Our engine scores this as a fail — better than no DMARC at all, but not protection.)
p=quarantine — send fakes to spam. Real protection, but a determined attacker is banking on people checking their spam folder. A solid stepping stone — it earns roughly half marks.
p=reject — refuse fakes at the door. The forged email is never delivered. This is the only setting that fully protects you and earns full marks.

What “good” looks like: p=reject. Anything less leaves a gap.

Two technical details our check also looks at, worth knowing so you don’t get caught out:

The subdomain policy (sp=). You can set a strong policy for your main domain but accidentally leave subdomains (like mail.yourdomain or news.yourdomain) wide open. Our engine penalises this hard — a domain with p=reject but sp=none is scored down close to having no enforcement at all, because attackers will simply spoof a subdomain instead. Good practice is to let sp inherit your strong main policy, or set it to reject explicitly.
The percentage (pct=). During a careful rollout you can apply enforcement to only a fraction of mail (e.g. pct=25). That’s a legitimate transition tool, but a partial rollout only gives partial protection, and our score reflects that — it rises steadily as you move from 25% toward 100%, but full marks need full coverage.

2. The reporting address (rua=) — your visibility. This is the second check on this page. The rua= tag asks every mail provider in the world to send you a daily summary of who tried to send email as your domain — your own systems and any impersonators. Without it, you are flying blind: you have no idea who is abusing your name. With it, businesses routinely discover between 5 and 50 unauthorised senders on the very first day.

What “good” looks like for reporting: a valid rua=mailto: address (or a reporting-service https: URL) that actually receives the reports. Our check validates the format — a mistyped or malformed address means the reports silently go nowhere, which scores as a partial or failed result even though a tag is technically “present.”

How to fix it (free, ~30 minutes spread over two weeks)

Hand this section to whoever manages your domain, website, or IT — the fix is completely free. We only ever charge to monitor that it stays correct over time, to manage a portfolio of domains, or for an audit. The change itself costs nothing.

The golden rule: never jump straight to reject. Turn on monitoring first, watch the reports, confirm your real mail is recognised, then tighten. Done in this order it is safe; done in a rush it can junk your own email.

Step 1 — Make sure SPF and DKIM are in place first. DMARC relies on them. If either is missing, sort those before enforcing DMARC (see the SPF and DKIM pages).

Step 2 — Publish a monitoring record with reporting on. Add a DNS TXT record:

Host / name: _dmarc.yourdomain (your DNS provider may show this as just _dmarc)
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain; adkim=s; aspf=s

This watches and reports without blocking anything yet. The adkim=s; aspf=s parts request strict alignment — leave them out at first if you’re unsure, and add them once your mail is confirmed clean.

Step 3 — Read the reports for ~2 weeks. Raw DMARC reports are dense XML. Use a free reporting service (for example dmarcian or Postmark’s free DMARC tool) to turn them into a readable dashboard. Confirm that every legitimate sender — your mailbox provider, newsletter tool, CRM, helpdesk, invoicing app — is passing. Fix any genuine sender that isn’t.

Step 4 — Move to quarantine. Once your real mail is clean, change p=none to p=quarantine. Watch for another few days.

Step 5 — Move to reject. Finally change p=quarantine to p=reject. You’re now fully protected. The final record looks like:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain; adkim=s; aspf=s

Step 6 — Don’t forget subdomains. Make sure you haven’t left sp=none in place. If you publish no sp at all, subdomains inherit your main p= policy, which is what you want.

Notes per common platform:

Google Workspace / Microsoft 365: Both fully support DMARC. The DMARC record itself goes in your DNS provider, not in Google or Microsoft’s admin console — make sure SPF and DKIM are enabled in the admin console first, then publish the DMARC TXT record at your registrar/DNS host.
Cloudflare: DNS > Records > Add record > TXT, name _dmarc, paste the value. Cloudflare also offers built-in DMARC management that can set this up and collect the reports for you.
Common hosts / registrars (Blacknight, GoDaddy, etc.): Look for “DNS”, “DNS Zone”, or “Advanced DNS”, add a TXT record with name _dmarc and the value above. Propagation usually takes a few minutes to an hour.

Common mistakes

Stopping at p=none. The most common error by far. Monitoring is the start, not the finish — a domain stuck on none is still fully spoofable. Our engine scores it as a fail for exactly this reason.
Jumping straight to reject without monitoring. The opposite mistake. Without the reporting stage you may not realise a legitimate sender (often a newsletter or invoicing tool) isn’t aligned — and you’ll start blocking your own mail.
Forgetting the subdomain policy. A strong p=reject with sp=none leaves a side door wide open; attackers just spoof a subdomain instead.
A broken reporting address. A mistyped rua= (or one missing the mailto: prefix) means the reports go nowhere and you stay blind without realising it. The format has to be a valid mailto: or https: URI, or the reports are never delivered.
“We don’t send email so we’ll skip it.” A non-sending domain is a prime target precisely because nobody is watching it. Publish a strict reject policy to lock it down entirely.

A note on grading

The policy check (p=) is one of the heaviest-weighted items in the whole assessment — because it’s the single biggest factor in whether your business can be impersonated. reject earns the full score; quarantine earns roughly half; none and a missing record score as fails. A weaker subdomain policy or a partial pct= rollout pulls the score down to match the real level of protection you actually have.

The reporting check (rua=) carries real weight too, but think of it less as a box to tick and more as the tool that lets you reach reject safely. Set it up at the same time as your monitoring record, and it pays for itself in visibility on day one.

Set it up on your host

Step-by-step for popular providers:

FAQ

I'm not technical at all — is this something I can actually deal with?

Yes, but you don't have to do it personally. The fix is a couple of lines added to your domain's settings, and it's free. The simplest path is to forward the 'How to fix it' section below to whoever runs your website or your IT support. It typically takes them well under an hour, spread over a couple of weeks of safe monitoring.

Will turning on DMARC accidentally stop my own emails getting through?

It can — but only if you skip the safe rollout. The whole point of starting at 'monitor only' (p=none) with reporting switched on is to watch for two weeks and confirm that every legitimate sender (your mailbox, your newsletter tool, your invoicing app) is correctly recognised BEFORE you switch to blocking. Done in that order, your real mail is unaffected. Rushing straight to 'reject' without checking the reports is the one common mistake that breaks delivery.

I already have SPF and DKIM set up. Isn't that enough?

No — and this is the most important point to understand. SPF and DKIM are the locks; DMARC is the instruction that says 'if the locks don't match, refuse the email.' Without DMARC at 'reject', a receiving server may notice an email is forged and still deliver it. SPF and DKIM are prerequisites for DMARC to work, but on their own they do not stop a forged email from reaching the inbox.

What's the difference between 'none', 'quarantine' and 'reject'? Which do I need?

'none' only watches and reports — it stops nothing, so it doesn't protect you. 'quarantine' sends forgeries to the spam folder. 'reject' refuses them outright, so they never arrive. 'reject' is the goal and the only setting that earns full marks. 'quarantine' is a reasonable stepping stone; 'none' is a starting point for the first couple of weeks, not a destination.

What is this 'rua' reporting thing, and do I need it?

The rua tag asks mail providers to send you a daily summary of every system that tried to send email as your domain — including the criminals. It's how businesses discover the 5 to 50 unauthorised senders typically abusing a domain on day one. On its own it carries less weight than the policy, but it's how you safely move to 'reject' without breaking your real mail, so set it up at the same time.

We barely send email, or we don't send email from this domain at all. Do we still need DMARC?

Especially then. A domain that sends little or no real email is a perfect, low-noise target for criminals to impersonate, because nobody's watching. A domain you never send mail from should publish a strict reject policy — it's a clean, low-risk win that slams the door entirely.