How to Set Up DMARC, DKIM and SPF for Your Domain
SPF, DKIM, and DMARC are three email authentication standards that prevent attackers from spoofing your domain to send phishing emails. Without them, criminals can send email appearing to come from your address — targeting your customers, partners, and staff.
Overview
SPF, DKIM, and DMARC are email authentication standards that prevent attackers from spoofing your domain. Without DMARC in enforcement mode, anyone can send email appearing to come from your business — targeting your customers and contacts. 85% of UK cyber breaches involve phishing (DSIT 2025).
Learn more about email securityIt is the cheapest, highest-leverage control in managed cybersecurity: one afternoon of DNS work closes the door on the impersonation attacks behind most phishing. This page sits in our email security hub alongside what DMARC actually is.
What are DMARC, DKIM and SPF?
They are three DNS-based email authentication standards that work together to prove a message claiming to come from your domain was genuinely sent by an authorised server. SPF lists who can send. DKIM signs the message. DMARC enforces a policy and reports back. Without all three, anyone can spoof your domain.
Phishing is the threat they exist to stop. According to the DSIT Cyber Security Breaches Survey 2025, 85% of UK cyber breaches involve phishing (DSIT 2025), and 43% of UK businesses experienced a breach or attack in the past 12 months (DSIT 2025) (gov.uk). A large share of those attacks exploit domains with no enforcement policy, where impersonation carries no technical barrier at all.
| Standard | What it checks | What it cannot do alone |
|---|---|---|
| SPF | Is the sending server on your authorised list? | Only checks the envelope sender, not the visible From address; breaks on forwarding |
| DKIM | Is the message cryptographically signed and unmodified? | Says nothing about what to do when a check fails |
| DMARC | Do SPF/DKIM pass *and* align with the visible From domain? | Needs at least one of SPF or DKIM passing to act |
How does each standard work?
Each tackles a different gap. SPF publishes the IP addresses and mail servers allowed to send for your domain. DKIM attaches a cryptographic signature using a private key, with the public key in DNS. DMARC ties the two together, checks domain alignment, and tells receivers what to do when authentication fails.
- SPF (Sender Policy Framework) — a DNS TXT record listing authorised senders. Simplest to deploy, but it only validates the SMTP envelope sender, not the From address users see, and it fails when mail is forwarded.
- DKIM (DomainKeys Identified Mail) — signs every outbound message with a private key; receivers verify it against the published public key. It survives forwarding and proves the body was not altered in transit.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — sets the policy (p=none, p=quarantine or p=reject), enforces alignment between the authenticated domain and the visible From domain, and emails you aggregate reports showing every server sending as your domain.
The alignment check is the part attackers cannot beat. They can pass SPF using their own domain, but they cannot make that domain align with *your* From address — so a DMARC record at p=reject discards the spoof before it reaches your customer.
Why do UK SMEs need email authentication?
Because your domain is an attack surface whether you protect it or not. An unauthenticated domain lets criminals send invoices, payment-redirection requests and credential-harvesting links that land in your clients' inboxes wearing your name. The cost of getting impersonated is borne by everyone you email.
The financial stakes are real: the average cost of a data breach for UK organisations was £3.58 million (IBM 2024). Yet preparation lags — only 14% of UK businesses have a formal incident response plan (DSIT 2024). Email authentication is one of the few preventive controls that materially lowers the odds of ever needing that plan, which is why it pairs naturally with anti-phishing protection.
There is now a compliance driver too. Google and Microsoft require DMARC for bulk senders, and the NCSC actively promotes DMARC through its Mail Check service (ncsc.gov.uk). For UK businesses, authentication has moved from best practice to baseline expectation.
How do you set up DMARC, DKIM and SPF safely?
You stage it. The single biggest mistake is jumping to enforcement before you know every legitimate sender, which blocks real mail. AMVIA runs a defined sequence — audit, publish, monitor, then advance — so enforcement only arrives once the data proves it is safe.
1. Audit every sender. List everything that mails as your domain: Microsoft 365 or Google Workspace plus CRM, marketing, invoicing, helpdesk and booking tools. A missed sender fails authentication once you enforce. 2. Publish SPF. Create one TXT record covering all legitimate sources. Watch the 10 DNS lookup limit — too many third-party includes makes SPF fail for *all* mail. AMVIA flattens to direct IPs and consolidates includes to stay under it. 3. Configure DKIM. Enable signing on your platform. For Microsoft 365 we generate the key pair and publish the public key in Exchange Online (learn.microsoft.com); third-party senders are signed wherever supported. 4. Deploy DMARC at p=none. Monitoring mode collects aggregate reports without touching delivery, so you see reality before you act. 5. Review reports for 30–60 days. Authenticate every legitimate sender that is failing before you go further. Skipping this window is the top cause of blocked mail. 6. Advance to enforcement. Move to p=quarantine, then p=reject. AMVIA typically holds quarantine for two to four weeks, watching reports at each step to confirm nothing legitimate is caught.
What do the DMARC policy modes mean?
The policy tells receiving servers what to do with mail that fails authentication. You move through them in order so you never enforce blind.
| Policy | Effect on failing mail | When to use it |
|---|---|---|
| `p=none` | Delivered as normal; only reported | Start here — monitor and discover all senders |
| `p=quarantine` | Routed to spam/junk | Once senders are authenticated, as a safety stage |
| `p=reject` | Discarded outright | The goal — full protection against spoofing |
How does AMVIA manage email authentication?
AMVIA configures SPF, DKIM and DMARC for UK businesses as part of its managed email security service, then keeps it current. The build starts with a full sender audit and runs through monitoring to enforcement on a defined timeline. DMARC is included in our managed service or available as a standalone engagement.
DMARC is not set-and-forget. New tools start sending as your domain; attackers generate failed-authentication reports worth investigating. We monitor those reports continuously, fold the work into our wider Microsoft Defender for Business and email controls, and act on spoofing attempts as they appear. NCSC records 49,248 security certifications issued in 2025 (NCSC) — proof that authentication baselines are now mainstream, not optional.
Email authentication checklist
- SPF record published and validated for your domain
- DKIM signing enabled for Microsoft 365 (or your mail platform)
- DMARC record deployed at minimum p=none to collect reports
- All third-party senders identified and authenticated before enforcement
- DMARC policy advanced to p=quarantine, then p=reject
- DMARC applied to every domain you own, including parked and inactive ones
Key Points
What UK businesses need to know about email authentication.
Domain Spoofing is Common
85% of UK cyber breaches involve phishing (DSIT 2025). Without email authentication, any attacker can send email appearing to come from your domain.
Three Layered Standards
SPF, DKIM, and DMARC each address a different aspect of email authentication — all three are needed for complete protection.
UK and International Requirements
NCSC and both recommend DMARC. Google and Microsoft now require DMARC for bulk email senders.
DMARC Reporting Provides Visibility
DMARC aggregate reports show all email sent using your domain, including unauthorised senders you may not know about.
Email Authentication Checklist
SPF record published and validated for your domain
DKIM signing enabled for Microsoft 365 (or your mail platform)
DMARC record deployed — at minimum p=none to collect reports
All third-party senders identified and authenticated before enforcement
DMARC policy advanced to p=quarantine or p=reject
DMARC applied to all your domains, including inactive ones
Frequently Asked Questions
Yes. SPF and DKIM provide the authentication, but without DMARC there is no enforcement policy and no reporting, so a failed check has no consequence. DMARC also needs at least one of SPF or DKIM passing before it can apply a policy. The three together give the most complete protection against domain spoofing.
Not if it is staged. Start at p=none, review aggregate reports, and authenticate every legitimate sender before moving to quarantine or reject. That monitoring window surfaces the CRM, marketing and invoicing tools that mail as your domain. Rushing straight to p=reject without the audit is the single most common cause of blocked legitimate mail.
For a clean Microsoft 365 environment with few third-party senders, AMVIA can publish SPF and DKIM in one session and reach DMARC quarantine within a few weeks once reports are reviewed. Environments with many senders — marketing platforms, CRM, helpdesk, invoicing — usually need six to eight weeks to reach full enforcement safely.
SPF allows a maximum of 10 DNS lookups when evaluating a record. Each `include` for a third-party sender consumes lookups, so businesses with several services can exceed the cap, at which point SPF fails for all mail. AMVIA stays under the limit by using direct IP addresses where possible and consolidating include mechanisms.
No. Microsoft 365 enables a default SPF entry and supports DKIM and DMARC, but DKIM signing is not switched on for your custom domain by default, and there is no DMARC record until you publish one. Without explicit configuration your domain is still spoofable. AMVIA enables and aligns all three for the domains you actually send from.
p=reject instructs receiving mail servers to discard any message that fails SPF and DKIM and does not align with your From domain — it never reaches the inbox or the spam folder. It is the end state of a DMARC rollout and the only policy that fully blocks impersonation. You reach it only after monitoring confirms every legitimate sender passes.
Protect Your Domain from Email Spoofing
AMVIA configures SPF, DKIM, and DMARC for UK businesses and manages the transition to enforcement — so your domain cannot be used to phish your contacts.
Related Resources
What Is Email Security?
The full stack of email security controls UK businesses should have in place.
What Is DMARC?
A plain-English explanation of DMARC and why it matters for your domain.
The Complete Cybersecurity Guide for UK SMEs
How email authentication fits within a complete cybersecurity strategy.
Anti-Phishing Protection
Technical controls that filter phishing before it reaches staff inboxes.
Protect your business → Get Cybersecurity Assessment