Guide

What Is DMARC and Why Does It Matter for UK Businesses?

A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.

Overview

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.

Learn more

What does DMARC actually do?

DMARC stops anyone from sending email that looks like it came from your domain. Without it, a criminal can send an invoice or payment request that appears to come from yourcompany.co.uk, and the recipient's mail server has no reliable way to tell it apart from the real thing. DMARC fixes that.

It works by checking two things receiving servers cannot otherwise enforce: that the visible "From" domain *aligns* with the domain SPF or DKIM authenticated, and what to do — deliver, quarantine, or reject — when a message fails. Domain spoofing is a primary enabler of phishing, and phishing is the dominant attack route against UK businesses, so closing this gap matters. DMARC is one of the core controls in any serious managed cybersecurity and email security programme. The NCSC recommends DMARC for all UK organisations and mandates it for government email domains.

How do SPF, DKIM and DMARC work together?

DMARC does not work alone — it ties together two older standards. SPF checks which servers are allowed to send for your domain. DKIM cryptographically signs each message. DMARC adds alignment and an enforcement instruction on top, turning two partial checks into a single, enforceable policy.

  • SPF (Sender Policy Framework) — a DNS record listing the mail servers authorised to send for your domain. Receiving servers check the sending IP against that list. SPF only validates the envelope sender (Return-Path), not the "From" address the recipient sees.
  • DKIM (DomainKeys Identified Mail) — adds a cryptographic signature using a private key on your mail server, verified against a public key in your DNS. It proves the message came from an authorised server and was not altered in transit.
  • DMARC — requires the visible "From" domain to align with the SPF- or DKIM-authenticated domain, then tells the receiving server whether to deliver, quarantine, or reject failures.
StandardWhat it checksWhat it cannot do alone
SPFAuthorised sending IPs (envelope sender)Cannot protect the visible "From" header
DKIMMessage signature and integrityCannot enforce a policy on failures
DMARCAlignment + enforcement actionNeeds SPF and/or DKIM beneath it

Without alignment, an attacker can pass SPF using a domain they control while spoofing a different domain in the header the recipient actually reads. DMARC is what closes that loophole.

What are the three DMARC policy levels?

DMARC is published as a DNS TXT record with three policy settings, adopted progressively as you gain confidence in your configuration. You start in monitor mode, tighten to quarantine, then enforce with reject — the only level that fully blocks spoofing.

PolicyWhat happens to failing mailWhen to use it
`p=none` (monitor)Delivered normally; aggregate/forensic reports sentInitial deployment — discover every legitimate sender
`p=quarantine`Delivered to spam/junkIntermediate test step before full enforcement
`p=reject`Rejected outright, never deliveredFinal state — full protection against spoofing

The NCSC recommends every UK organisation aim to reach `p=reject`. Until you get there, your domain still offers attackers an open door.

Why do UK businesses need DMARC?

Because email is still the primary attack vector, and an unprotected domain is a weapon criminals can point at your own customers, suppliers and staff. Without DMARC at `p=reject`, fraudulent invoices, payment-redirect requests, and business email compromise (BEC) all become easier to pull off in your name.

The numbers make the case. 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025), and 85% of breaches experienced by UK businesses involved phishing (DSIT 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025. The average cost of a data breach for UK organisations was £3.58 million in 2024 (IBM 2024).

There is a deliverability upside too. Google and Microsoft treat DMARC compliance as a positive spam-filtering signal, so genuine mail from a `p=reject` domain is more likely to land in the inbox. Google and Yahoo introduced requirements in 2024 mandating that bulk senders implement DMARC, confirming the industry-wide shift to enforcement. Pairing DMARC with phishing protection covers both the inbound and the impersonation side of email risk.

How do you implement DMARC step by step?

Implementation is a phased process, not a single switch. Rushing straight to `p=reject` will block legitimate mail. The safe path audits every sender first, then tightens enforcement in stages over roughly four to eight weeks.

1. Audit your sending sources — list every system that sends as your domain: Microsoft 365 or Google Workspace, marketing tools (Mailchimp, HubSpot), CRMs (Salesforce, Dynamics 365), transactional services, and helpdesk systems. Miss one and its mail will fail once you enforce. 2. Configure SPF and DKIM — publish an SPF record covering all authorised servers and enable DKIM signing on your primary platform and every third-party sender, usually via a CNAME or TXT record. 3. Publish DMARC at `p=none` — add the record with a reporting address and monitor aggregate reports for four to eight weeks to confirm legitimate sources pass. 4. Move to `p=quarantine` — once monitoring is clean, tighten to quarantine for a further two to four weeks and resolve any legitimate mail caught incorrectly. 5. Enforce with `p=reject` — switch to reject so spoofed mail is blocked. Keep reviewing reports as your sending services change.

How should you monitor DMARC over time?

DMARC is not set-and-forget. Your sending landscape shifts — new marketing tools, a changed CRM, a service a staff member signs up for — and each change can create an SPF or DKIM gap that breaks legitimate mail under `p=reject` or goes unseen under a weaker policy. Ongoing report review is what keeps enforcement safe.

This is where managed monitoring earns its keep. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), so DMARC reports often become the first early-warning signal of an email-based attack on a domain. Reviewed regularly, they flag both misconfigurations and active spoofing attempts before they cause damage — which is why DMARC sits naturally alongside incident response.

How does AMVIA implement and manage DMARC?

AMVIA configures DMARC, SPF and DKIM for UK SMEs, manages the phased progression from `p=none` through `p=quarantine` to `p=reject`, and monitors aggregate reports so your domain stays protected as your business evolves. One provider, security-first, Microsoft-certified engineers — no hand-offs between vendors.

Typical implementation is four to eight weeks for straightforward setups, longer where multiple marketing platforms, CRMs or third-party senders are involved. It runs as part of our managed email filtering and email security service, and complements Microsoft Defender for Business for organisations standardising on Microsoft 365. Contact AMVIA on 0333 733 8050 to discuss DMARC implementation for your business.

Key Points

What you need to know.

Why It Matters

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).

How It Works

67% of medium businesses and 74% of large businesses reported breaches in 2025.

UK Requirements

Relevant UK regulations, standards, and compliance considerations.

Getting Started

Practical first steps for businesses of any size.

Key Considerations

Assess your current position and identify gaps

Understand relevant UK regulations and standards

Implement appropriate technical controls

Train staff on security awareness

Review and update regularly

Consider managed service options for specialist areas

Frequently Asked Questions

Need Help With This?

AMVIA can assess your current position and recommend practical next steps.