Has a client ever called to ask, “did you really send this invoice?” If so, you already know the problem. Scammers can send messages that look like they came from your domain. They never touch your systems. They just borrow your name.
The fix isn’t complicated. It just needs three DNS records working together: SPF, DKIM, and DMARC. Most companies set up one or two of these. They leave the third half-finished. That gap is usually all a scammer needs.
This guide covers what each record does. It also covers the one DMARC setting businesses get wrong most often, and how to check your own domain.
How a Spoofed Email Reaches Your Client
An attacker puts your domain in the From field and sends the message. If your domain lacks protection, the receiving server has no way to challenge it. Your customer, supplier, or employee sees an email that looks exactly like it came from you.
The Three DNS Records That Verify Your Email Is Really Yours
You configure SPF, DKIM, and DMARC once, through your domain registrar or DNS provider. After that, every receiving mail server checks these records automatically.
SPF (Sender Policy Framework)
SPF lists the mail servers you’ve authorized to send on your domain’s behalf. A receiving server checks whether the sending server appears on that list. If it doesn’t, SPF flags the message.
DKIM (DomainKeys Identified Mail)
DKIM attaches a digital signature to every message you send. Your mail server signs outgoing messages with a private key. The matching public key lives in your DNS. The receiving server uses it to confirm two things: your domain sent the message, and nobody altered it in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC ties SPF and DKIM together. It tells receiving servers what to do when a message fails both checks. It also confirms that the domain in the visible “From” address matches the domain SPF and DKIM verified. That’s the piece that stops someone from forging your exact address. DMARC also sends you reports showing every server sending mail as your domain — including the ones that shouldn’t be.
The DMARC Setting Most Businesses Get Wrong
DMARC has three policy levels. Picking the wrong one — or never moving past the first one — is the most common mistake.
p=reject — Receiving servers block failing messages outright. They never reach the inbox.
p=none — Monitor only. You receive reports, but DMARC blocks nothing. A failing message can still land in the inbox.
p=quarantine — Receiving servers send failing messages to spam or junk.
Why Businesses Get Stuck at p=none
Many businesses set DMARC to p=none, start reviewing reports, and never move further. They don’t realize that real protection hasn’t started yet. Microsoft recommends treating p=none as a temporary monitoring phase. Once your legitimate mail passes authentication, move toward p=reject.
What SPF, DKIM, and DMARC Can’t Stop
These records stop someone from forging your exact domain. Two related tactics still slip through.
Lookalike domains. An attacker can register a domain that resembles yours, like yourcompany-invoices.com, or swap .com for .co, then send from that instead. Your DNS records protect only the domain you own.
Display-name spoofing. The visible sender name can read “Your Company Accounts,” while the real address behind it belongs to an unrelated free-mail account. DMARC checks the domain. It doesn’t check the display name.
Because of these gaps, basic phishing habits still matter. Check the full sender address, not just the display name. Verify any request to change payment details by phone, using a number you already trust — never one supplied in the email.
Why This Matters Even for Small Senders
Protection. These records stop scammers from impersonating your domain to your clients, suppliers, and staff.
Deliverability. Major mailbox providers now expect this authentication before they’ll deliver mail to the inbox.
Deliverability Rules Are Tightening
Since February 2024, Google and Yahoo have required senders of 5,000+ daily messages to use SPF, DKIM, and DMARC. Microsoft applied similar rules to Outlook.com and Hotmail in 2025. Non-compliant bulk mail gets filtered to junk first, then rejected. Even smaller senders tend to see better inbox placement once their domain is properly authenticated.
How to Check and Fix Your Domain
You don’t need technical expertise to get a first read on where you stand. A number of free SPF/DMARC lookup tools let you enter your domain and see which records currYou don’t need technical skills for a first check. Several free SPF and DMARC lookup tools let you enter your domain and see which records exist. That tells you what’s present — not whether it’s configured correctly. That part is a job for your IT provider or domain administrator.
A Safe Rollout Plan
A misconfigured record can send your own legitimate mail to spam. Roll changes out gradually:
- Publish SPF and DKIM, and cover every legitimate mail source your business uses.
- Add DMARC at
p=none, then review the reports to confirm your real mail passes. - Move to
p=quarantine. Once reports look clean, move top=reject.
Microsoft recommends this same staged path. It protects your domain without blocking your own mail along the way.
Frequently Asked Questions
What is email spoofing? Email spoofing is when someone sends a message with your domain in the From address to make it appear as though it came from your company. It’s commonly used to trick clients, suppliers, or staff into paying fraudulent invoices, updating banking details, or handing over sensitive information.
Does DMARC stop all forms of email impersonation? No. DMARC stops someone from forging your exact domain, but it doesn’t stop lookalike domains (like yourcompany-invoices.com) or display-name spoofing, where the sender name shows your company but the underlying address is different. Those threats still require staff training and payment-verification habits.
What do SPF, DKIM, and DMARC do, in simple terms? SPF lists which servers are allowed to send email for your domain. DKIM is a digital signature confirming a message truly came from you and wasn’t tampered with. DMARC connects the two, tells receiving servers how to handle messages that fail, and reports on who is sending mail using your domain.
Will setting up DMARC block my own outgoing email? Not if you roll it out in stages. Starting at p=none lets you review authentication reports and confirm your legitimate mail passes before moving to quarantine and then reject. Jumping straight to p=reject without that verification step is what causes accidental blocking.
Do I need these records if I only send a small volume of email? Yes. They protect your domain from impersonation regardless of your email volume, and they improve the odds your messages land in the inbox rather than spam. Google, Yahoo, and Microsoft all now expect this level of authentication, and unauthenticated mail is increasingly likely to be filtered.
Not sure where your domain stands on SPF, DKIM, and DMARC? The team at Interlinked Business Technology Services can audit your setup and handle the rollout for you — get in touch and we’ll take it from there.
—