Cybersecurity
Email remains one of the most critical communication channels for UK businesses, yet it's also one of the most exploited attack vectors. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a powerful email authentication protocol that protects your organisation's reputation, prevents spoofing attacks, and ensures your legitimate emails reach customer inboxes. If you're uncertain about how to set up DMARC for your UK business, you're not alone—but the good news is that the process, whilst initially technical, becomes straightforward once you understand the fundamentals. This guide will walk you through each step, whether you're a London law firm concerned about email fraud, a financial advisory practice protecting client communications, or any SMB seeking genuine email security.
Before diving into configuration, it's worth understanding what DMARC actually does. DMARC works alongside two existing email authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Whilst SPF authorises which mail servers can send emails from your domain, and DKIM adds a digital signature to verify messages haven't been altered, DMARC sits on top of both—telling receiving mail servers what to do if authentication fails.
In practical terms, DMARC prevents bad actors from sending emails that appear to come from your domain. For professional services firms—particularly legal practices and financial advisers—this is crucial. A single spoofed email appearing to come from your organisation could undermine client trust, trigger regulatory concerns, or facilitate fraud. DMARC also provides visibility into which systems are sending emails on your behalf, which is invaluable for security audits and compliance requirements.
The UK Information Commissioner's Office (ICO) doesn't mandate DMARC explicitly, but the GDPR requirements around data security and the expectations within the Financial Conduct Authority's rules for financial advisers make email authentication a sensible defensive measure. Large organisations increasingly reject emails lacking proper DMARC alignment, so implementing it now protects your email deliverability for the future.
You cannot implement DMARC effectively without understanding your current email landscape. Before touching DNS records, spend time identifying every system that sends emails on behalf of your domain.
Create a spreadsheet listing:
For each sender, you'll need the outbound mail server's IP address or hostname. This information is usually available in the tool's documentation or from your IT support team. If you're uncertain, contact your email provider or consult your system administrator—this groundwork is essential and saves significant troubleshooting later.
DMARC depends on SPF and DKIM being properly configured. Log into your domain's DNS control panel (usually through your domain registrar or hosting provider) and check for existing TXT records. Look for records beginning with "v=spf1" (SPF) and entries containing "DKIM" or "selector" (DKIM keys). If these are absent or incomplete, you'll need to add them before DMARC will function correctly.
SPF Configuration: An SPF record is a simple TXT record in your DNS that lists authorised mail servers. If you use Microsoft 365, for example, your SPF record might look like: v=spf1 include:outlook.protection.outlook.com ~all. If you also use a marketing tool, you'd add its server as well. The ~all at the end is a soft fail, meaning emails that don't match will still be delivered but flagged; once everything is stable, many organisations change this to -all for a hard fail.
When adding multiple senders, use the include: mechanism for each authorised service. The DNS record itself has a 255-character limit, so if you exceed it, use multiple SPF records with the include: syntax—your DNS provider can advise if this is necessary.
DKIM Configuration: DKIM involves generating a public/private key pair. Your email provider or third-party sending service will provide instructions. Typically, you'll create a TXT record in your DNS with a unique selector (often something like "default" or "k1") and the public key value. This tells receiving servers how to verify that emails genuinely came from your domain. Most modern email platforms now handle DKIM generation automatically; you simply need to add the provided DNS record and enable DKIM in your email settings.
Once SPF and DKIM are in place, you're ready to add your DMARC record. DMARC is also a TXT record in your DNS, but it lives in a subdomain called _dmarc. Start with a monitoring policy—this tells receiving mail servers to send you reports about authentication results without rejecting any emails.
Your initial DMARC record should look something like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.co.uk; ruf=mailto:dmarc-forensics@yourcompany.co.uk
Breaking this down:
v=DMARC1 specifies the DMARC versionp=none tells receiving servers not to reject mail (monitoring mode)rua is the email address for aggregate reports (sent weekly)ruf is the email address for forensic reports (details of failures)Leave your policy at p=none for 1–2 weeks whilst you monitor reports. These reports (often compressed XML files) show you what's authenticating correctly and what isn't. If you're working with an IT consultant or service provider like VantagePoint Networks, they can help interpret these reports and identify any systems sending mail unexpectedly.
Once you're confident that all legitimate email sources authenticate correctly, update your DMARC policy to p=quarantine, which moves suspicious emails to the spam folder. Monitor for another week, then move to p=reject, which prevents unauthenticated emails from arriving at all. This staged approach minimises the risk of accidentally blocking legitimate mail.
DMARC isn't a one-time setup—it requires ongoing attention. Review aggregate reports regularly to spot unexpected sending sources. If you add new software (a new CRM, for instance) that sends emails, update your SPF record immediately to prevent those emails from failing authentication.
Test your DMARC configuration using free online tools, or ask your email provider to verify alignment. A simple test: send an email to yourself from a different email address and check the email headers for DMARC alignment. Most modern email clients allow you to view message headers, which show authentication results.
For organisations handling sensitive client communications or operating under FCA or ICO oversight, proper email authentication demonstrates due diligence in data protection. Implementing DMARC is a straightforward but genuinely impactful security step—one that protects your domain's reputation and your clients' trust in your email communications.
VP Shield runs six passive checks across DNS, TLS, headers, SPF, DKIM, DMARC and subdomain takeover — no login, no install, no port scans. Results in 15 seconds.
Scan your domain now →