Skip to main content
Vantyris

Email

What is DMARC, and why every business with a domain needs one.

Published 2026-05-01 · Last updated 2026-05-01 · Vantyris editorial

If your domain has no DMARC record, anyone can send an email from `accounts@yourbusiness.co.uk` to one of your customers and it will land in their inbox looking real. That's not a theoretical attack; it's the default path most phishing campaigns ride. DMARC is the single highest-impact thing a small business can fix on its email setup, and it costs nothing.

What this means for your business

How to fix

Add a DMARC TXT record at `_dmarc.<yourdomain>` starting with `p=none` to collect reports for a month, then progress to `p=quarantine` and `p=reject`.

  1. Make sure SPF is in place first. DMARC depends on SPF (or DKIM). If you don't have an SPF record yet, add one before DMARC. Check by looking up your domain's TXT records; SPF starts with `v=spf1`. If absent, add the basic record your email provider gives you.
  2. Decide where to receive aggregate reports. Pick an email address that gets the daily DMARC reports. A dedicated mailbox like `dmarc@yourbusiness.com` works. Or a free aggregator like Postmark's free tier, Dmarcian, or Easydmarc parses the reports into a dashboard.
  3. Add the DMARC TXT record. At your DNS provider, create a new TXT record. Host: `_dmarc` (your DNS panel will append your domain automatically). Value: `v=DMARC1; p=none; rua=mailto:dmarc@yourbusiness.com`. Save.
  4. Wait one week, check reports. Aggregate reports trickle in from each major receiving server (Google, Microsoft, Yahoo). Confirm every sender appearing in the report is legitimate. If you see suspicious senders, that's the impersonation attempt you just made visible.
  5. Progress to quarantine, then reject. After ~4 weeks of clean reports, change `p=none` to `p=quarantine`. After another month, `p=reject`. Now any unauthenticated mail from your domain bounces.

Owner: Your DNS administrator. Same person who sets your MX records. · Time: 30 minutes for the initial setup; 8 weeks total to reach `p=reject`.

Common gotchas

How to verify the fix

Run a Vantyris teaser scan on your domain; it surfaces the DMARC record and tells you the current policy. Or paste your domain into mxtoolbox.com/dmarc.aspx for a quick check. After a week, your aggregate reports should arrive at the rua address; if they don't, the record isn't being read.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Is DMARC mandatory?

Not legally, but Gmail and Yahoo now require it for any sender pushing 5,000+ messages a day. Even below that volume, your delivery rates suffer and your customers are exposed to impersonation. Nobody serious about email skips DMARC any more.

What's the difference between DMARC and BIMI?

BIMI shows your logo next to your name in Gmail. It only works if you already have DMARC at `p=quarantine` or stricter. DMARC is the prerequisite; BIMI is the brand polish on top.

Can DMARC break my newsletter?

If your newsletter ESP isn't authenticated, yes. The fix is to authenticate the ESP, not to drop DMARC. Most reputable ESPs walk you through SPF + DKIM setup during onboarding.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0