What is DMARC, and why every business with a domain needs one.
Published 2026-05-01 · Last updated 2026-05-01 · Vantyris editorial
If your domain has no DMARC record, anyone can send an email from `accounts@yourbusiness.co.uk` to one of your customers and it will land in their inbox looking real. That's not a theoretical attack; it's the default path most phishing campaigns ride. DMARC is the single highest-impact thing a small business can fix on its email setup, and it costs nothing.
What this means for your business
- Without DMARC, every Gmail, Outlook, and Yahoo recipient has no reliable way to tell whether an email from your domain is from you or from an attacker. They accept the message and show your customer a convincing-looking invoice, password reset, or appointment confirmation.
- DMARC is one TXT record at your DNS provider. Adding it costs nothing and takes about 30 minutes once you've found the right page in your registrar's control panel.
- DMARC works alongside SPF (which lists allowed sending servers) and DKIM (which cryptographically signs your outgoing mail). DMARC is the policy layer that tells receiving servers what to do when SPF or DKIM fails.
How to fix
Add a DMARC TXT record at `_dmarc.<yourdomain>` starting with `p=none` to collect reports for a month, then progress to `p=quarantine` and `p=reject`.
- Make sure SPF is in place first. DMARC depends on SPF (or DKIM). If you don't have an SPF record yet, add one before DMARC. Check by looking up your domain's TXT records; SPF starts with `v=spf1`. If absent, add the basic record your email provider gives you.
- Decide where to receive aggregate reports. Pick an email address that gets the daily DMARC reports. A dedicated mailbox like `dmarc@yourbusiness.com` works. Or a free aggregator like Postmark's free tier, Dmarcian, or Easydmarc parses the reports into a dashboard.
- Add the DMARC TXT record. At your DNS provider, create a new TXT record. Host: `_dmarc` (your DNS panel will append your domain automatically). Value: `v=DMARC1; p=none; rua=mailto:dmarc@yourbusiness.com`. Save.
- Wait one week, check reports. Aggregate reports trickle in from each major receiving server (Google, Microsoft, Yahoo). Confirm every sender appearing in the report is legitimate. If you see suspicious senders, that's the impersonation attempt you just made visible.
- Progress to quarantine, then reject. After ~4 weeks of clean reports, change `p=none` to `p=quarantine`. After another month, `p=reject`. Now any unauthenticated mail from your domain bounces.
Owner: Your DNS administrator. Same person who sets your MX records. · Time: 30 minutes for the initial setup; 8 weeks total to reach `p=reject`.
Common gotchas
- DMARC at `p=none` does not stop anything; it only reports. That's an intentional staging mode, not a finished setup.
- You can only have ONE DMARC record per domain. If you already have one, edit it; don't add a second.
- If you use third-party senders (newsletters, CRM, accountant sending in your name), make sure each one is included in SPF and signs with DKIM. Otherwise their mail will fail DMARC once you tighten the policy.
How to verify the fix
Run a Vantyris teaser scan on your domain; it surfaces the DMARC record and tells you the current policy. Or paste your domain into mxtoolbox.com/dmarc.aspx for a quick check. After a week, your aggregate reports should arrive at the rua address; if they don't, the record isn't being read.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A1. Firewalls — boundary protection between the internet and your services.
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Is DMARC mandatory?
Not legally, but Gmail and Yahoo now require it for any sender pushing 5,000+ messages a day. Even below that volume, your delivery rates suffer and your customers are exposed to impersonation. Nobody serious about email skips DMARC any more.
What's the difference between DMARC and BIMI?
BIMI shows your logo next to your name in Gmail. It only works if you already have DMARC at `p=quarantine` or stricter. DMARC is the prerequisite; BIMI is the brand polish on top.
Can DMARC break my newsletter?
If your newsletter ESP isn't authenticated, yes. The fix is to authenticate the ESP, not to drop DMARC. Most reputable ESPs walk you through SPF + DKIM setup during onboarding.
References
- NCSC: email security and anti-spoofing NCSC
- RFC 7489 — DMARC IETF RFC
- Google + Yahoo bulk sender requirements (2024) Vendor
Related explainers
- DMARC p=none does not stop phishing. Here's what to do instead.
- SPF records, explained: the first line of defence against email spoofing.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0