← Glossary
Glossary · Email

DMARC explained for small businesses.

DMARC is the policy that tells the rest of the internet what to do with email that claims to come from you but cannot prove it. It sits on top of SPF and DKIM, and it is the single biggest lever a small business has against invoice fraud and brand impersonation.

What does it do?

DMARC is a short text record you publish in DNS at the special name _dmarc.yourdomain.com.au. When a receiving mail server like Gmail, Outlook or a customer's on-prem Exchange box gets a message that says it is from you, it looks up that record. The record answers two questions: what should the receiver do if the message fails authentication, and where should the receiver send a report of what they saw.

Authentication here means two separate checks. The first is SPF, which confirms the message came from a server you actually authorised. The second is DKIM, which confirms the message body and important headers were not changed after you signed them. DMARC sits on top of both and adds a third requirement called alignment: the domain that passed SPF or DKIM must match the domain in the From header the user sees.

Without DMARC, receivers each make their own guesses. Some quietly drop spoofed mail, some land it in the junk folder, and plenty deliver it. With a DMARC policy of p=reject, you are telling every receiver in the world: if it claims to be from us and it cannot prove it, refuse it. That is the line that stops a contractor receiving a fake invoice that looks exactly like one of yours.

Why it matters

Picture a Sydney dental practice with a one-person front desk. Their domain has SPF and DKIM, but no DMARC. An attacker scrapes the practice's website, registers a free Mailgun trial, and sends an invoice that displays accounts@yourdental.com.au as the sender. The receiving mail server sees that SPF fails and DKIM is missing, but there is no DMARC policy telling it to reject, so it puts the message in the patient's inbox with a small warning that most people ignore. The patient pays into the wrong account. The practice spends three weeks trying to reverse the transfer and a further week explaining the breach to its cyber insurer.

The wider point: most small business cyber insurance policies now include a control questionnaire that asks specifically whether DMARC is in place at quarantine or reject. Saying yes when the answer is no, then having an incident, is a route straight to a declined claim. A working DMARC record is one of the cheapest controls a business can put in place and one of the fastest to evidence.

How to set it up

A working DMARC rollout is three records over six weeks. Start in reporting mode so you can see who is sending on your behalf before you turn on enforcement.

  • Week one — publish a reporting record at _dmarc.yourdomain.com.au:
_dmarc.yourdomain.com.au.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.au; ruf=mailto:dmarc@yourdomain.com.au; fo=1"
  • Weeks two to four — read the daily aggregate reports. You will discover every newsletter platform, accounting tool and CRM that sends from your domain. Add them to SPF, give them DKIM selectors, or stop them sending from your domain entirely.
  • Week five — move to quarantine. Failing mail lands in the junk folder, where you can recover from any mistake you missed.
  • Week six — move to p=reject. From here on, impersonation attempts are refused at the front door.

To test, send yourself a message from any service you have not authorised. With a quarantine or reject policy, that message should be junked or refused. Most aggregators also expose a live test you can paste headers into.

Common mistakes

  • Leaving the policy at p=none forever. Reporting without enforcement is not protection.
  • Skipping subdomains. If you do not also publish a sp=reject, an attacker can spoof billing.yourdomain.com.au instead of the apex.
  • Forgetting the alignment rule. A message can pass SPF for an ESP's envelope domain but still fail DMARC because the visible From address does not align. Use DKIM as well.
  • Pointing reports at a mailbox nobody reads. The reporting phase only works if someone is looking at the data.

How AttackEdge checks it

The AttackEdge scan reads your DMARC record on every scan. It flags missing or syntactically invalid policies, policies stuck at p=none, missing subdomain policies, and reporting addresses that bounce. The full methodology is on /what-we-check, and the free DMARC checker runs the same lookups on demand without an account.

Related

Keep reading

Glossary · SPF

The list of mail servers allowed to send from your domain. DMARC checks alignment against the SPF result.

Read SPF
Glossary · DKIM

Cryptographic signatures on every outbound message. DMARC uses DKIM alignment as the second pass.

Read DKIM
Free tool

Check your domain's DMARC, SPF and DKIM in one click. Plain-English explanation of every result.

Open the checker

See where your DMARC stands.

Run a free checkSee pricing