The FBI tracks billions of dollars a year lost to attackers who email your customers pretending to be you. Its 2023 Internet Crime Report logged $2.9 billion in BEC losses for the year and $55.5 billion in cumulative losses reported to IC3 over the last decade.
Australian businesses reported $29.5 million in scam losses to the ACCC in 2023, with small and micro businesses accounting for $17.3 million of that. Payment redirection, the scam where a stranger emails your biggest customer with new banking details for the next invoice, drove $16.2 million of the reported losses to Scamwatch alone, up on 2022 even though the number of reports fell. The average loss per successful scam went up.
The scam itself is always the same shape. An email that looks like it came from the owner of an Australian business to their biggest customer. Updated banking details for the next invoice. Please remit here. The customer pays it. By the time anyone notices, the account is empty and the email trail is gone.
The fix for every case where the attacker spoofed the real domain is an hour of DNS. SPF listing every sending platform, DKIM turned on, DMARC at p=reject. The receiving server bounces the forged mail before it reaches the customer.
If you run a business with an email address on your own domain and you haven't done this yet, this is where I'd spend tomorrow afternoon.
What each record actually is
SPF is a list. You publish a DNS TXT record that says "the servers allowed to send email as my domain are Google, Mailchimp, and my CRM". Receiving mail servers check the list and, if the sender's not on it, mark the message as suspicious. An SPF record looks like v=spf1 include:_spf.google.com include:servers.mcsv.net -all. The -allat the end is important. It's the thing that says "nothing else".
DKIM is a signature. Every outbound message from your mail platform gets signed with a private key. The matching public key lives in DNS. A receiving server checks the signature and knows the message wasn't tampered with in transit. You don't generate the key yourself. Google Workspace, Microsoft 365, Postmark, Resend, Mailchimp, they all generate it for you and hand you the DNS record to paste. If you send from six different platforms, you have six DKIM records. That's fine.
DMARC is the instruction. It tells a receiving server what to do when SPF and DKIM fail, and asks for a daily report of who's sending mail using your domain. The report is the part people sleep on. It will surface every legitimate sender you forgot and every impersonator you didn't know about, in the first two days.
The roll-out that doesn't bounce your payroll
The most common way to break this is to skip the reporting phase and go straight to p=reject. Do that on a Friday night and you spend Saturday morning working out why your payroll provider's emails are in junk. Don't do that.
Week zero, you publish SPF listing every sending platform and turn on DKIM in each one. Week one, you publish DMARC at p=none with a ruareporting address. I use Postmark's free DMARC reporting service because their dashboard is readable and I don't want to process XML by hand. Valimail and dmarcian also work. Over the next fortnight, the reports will show you every IP sending mail as your domain. You'll find a forgotten automated notification from your accounting software. You'll find a marketing tool a former staff member set up. You'll find a spammer in Russia. Add the legitimate ones to SPF, ignore the rest.
Week three or four, move DMARC to p=quarantine. Failing mail now goes to spam instead of inbox. You'll spend a few days field-testing that nothing legitimate is getting caught. Week six or eight, move to p=reject. Impersonation attempts are rejected by the receiving server before they reach anyone. This is the state you want to be in.
The bit everyone skips
Set up BIMI once you're at p=reject. It puts your logo next to your name in Gmail and Apple Mail. Your customers see a visual signal that the mail is legitimate. You need a Verified Mark Certificate from Entrust or DigiCert, which runs around USD 1,500 a year, and a registered trademark. If you have the trademark, the logo is worth it. If you don't, BIMI without a VMC still works in some clients and costs nothing.
Also rotate DKIM keys yearly where the platform lets you. Google doesn't really support it cleanly. Postmark does. Do what you can.
How to check where you stand
Easiest way is to run dig TXT yourdomain.com and dig TXT _dmarc.yourdomain.com from a terminal. Or use the free check, which looks at all three records and tells you which ones are missing or loose. Takes about twelve seconds, no signup. If you're at p=noneor worse, that's where to spend tomorrow.
Run your own external scan.
AttackEdge continuously scans what your business exposes to the internet, then translates the findings into plain English. See what attackers see, without hiring a security team.