Your domain can send phishing emails without your permission. DMARC is the fix.

A finance manager at a UK manufacturing firm received an email last month asking her to update a supplier's bank details. It came from the managing director's exact email address. Same name, same domain, same signature block. She made the change. The next supplier payment, £18,400, went straight into a criminal's account.

The MD never sent that email. Someone else did, using his domain, because nothing was stopping them.

That's what a missing DMARC record allows. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a DNS record that tells email providers what to do when someone sends an email claiming to be from your domain but isn't actually authorised to. Without it, Gmail, Outlook, and every other inbox in the world has no instruction from you on how to handle an impersonator. So they deliver it. Looking exactly like it came from you.

Why your domain can be used without anyone breaking into anything

This is the part that surprises most business owners: nobody needs to hack your systems to send email as you. Email was never built with sender verification by default. Anyone can type your domain into the "from" field of an email and send it. The only thing stopping that email from landing in a real inbox, looking completely legitimate, is whether your domain has told email providers how to check it.

That check happens through three DNS records working together: SPF, which lists which servers are allowed to send mail for your domain, DKIM, which adds a digital signature to outgoing mail so it can be verified, and DMARC, which tells receiving servers what to do when a message fails those checks. We've covered SPF and DKIM in detail elsewhere, but DMARC is the one that actually enforces the outcome. Without it, SPF and DKIM can both fail and the email still gets delivered anyway, because nothing told the receiving server that failure should matter.

What a DMARC record actually does

A DMARC record sits in your DNS settings as a single line of text. It tells receiving mail servers three things: whether to check SPF and DKIM, what to do if a message fails those checks (do nothing, send it to spam, or reject it outright), and where to send a report when that happens.

That last part matters more than people realise. A properly configured DMARC record gives you visibility into every server on the internet currently sending email using your domain, including ones you've never heard of. Most businesses who check this for the first time find email volume from services they forgot they'd connected, or, occasionally, volume they can't explain at all.

When Olimpio scans a domain, a missing DMARC record shows up as a high-priority finding, because it's one of the few gaps that doesn't just expose your business, it actively exposes your name to your customers, suppliers, and staff as a phishing vector. The report shows you the exact record to add, in the exact format your DNS provider expects, rather than leaving you to interpret an RFC document.

The policy setting most businesses get wrong

Even businesses with a DMARC record often have it configured to do nothing. The policy tag in the record, written as p=none, p=quarantine, or p=reject, controls enforcement. A huge number of domains we scan are sitting on p=none, which means the record exists, monitoring is happening, but failed emails are still delivered exactly as before. It's the DMARC equivalent of installing a smoke alarm and removing the battery. We've written a dedicated explanation of p=none if you want to understand why that setting specifically doesn't protect you.

Moving from p=none to p=quarantine or p=reject is the step that actually stops impersonation emails reaching inboxes. It's also the step most businesses skip, because moving straight to enforcement without first reviewing reports can occasionally block legitimate email too, if your own systems aren't all correctly authenticated yet.

What this looks like for a business with no IT team

If you don't have anyone managing DNS day to day, this can feel like a technical problem that needs a technical person. In practice, it's a five-minute DNS change once you know what record to add and where. The harder part is knowing whether you have one at all, what it's set to, and whether it's actually working, which is the part most business owners have never had reason to check.

This is one of the most common findings we see across the common security vulnerabilities affecting UK small business websites, and it sits alongside the broader question of what a website security checklist for a small business should actually include. DMARC rarely gets flagged by web developers, because it's a mail record, not a website setting, and it rarely gets flagged by IT support providers either, because many treat email delivery as someone else's responsibility once Microsoft 365 or Google Workspace is switched on.

Frequently asked questions

Can someone send emails pretending to be my business? Yes, unless your domain has a DMARC record set to enforce against it. Anyone can put your domain in the "from" field of an email, and without DMARC telling receiving servers to block or quarantine unauthorised mail, those emails can land in real inboxes looking completely genuine.

How do I know if my DMARC record is set up correctly? Check your domain's DNS TXT records for one starting with v=DMARC1, then look at the p= value inside it. If there's no record at all, or it's set to p=none, you have no real protection yet, even if monitoring is switched on.

Will DMARC stop my emails going to spam? DMARC actually helps the opposite problem. A correctly configured record makes your legitimate email more likely to be trusted and delivered, because it proves to receiving servers that your mail is genuinely from you.

Do I need a DMARC record if I use Gmail or Microsoft 365? Yes. Using a major email provider authenticates your outgoing mail, but it does nothing to stop someone else sending email that claims to come from your domain through a different server entirely. DMARC is a setting on your domain, not your email provider.

Will setting up DMARC break my existing email? Not if you start with p=none and review the reports first. The risk only comes from jumping straight to p=reject before confirming every legitimate sender on your domain, including marketing tools and invoicing software, is properly authenticated.

Check whether your domain has a DMARC record, and what it's actually set to do, with Olimpio's free scan. It takes 90 seconds, no account needed, at olimpio.io.