What Is DMARC and Why Does It Matter for UK Businesses?
A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.
Overview
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.
Learn moreWhat does DMARC actually do?
DMARC stops anyone from sending email that looks like it came from your domain. Without it, a criminal can send an invoice or payment request that appears to come from yourcompany.co.uk, and the recipient's mail server has no reliable way to tell it apart from the real thing. DMARC fixes that.
It works by checking two things receiving servers cannot otherwise enforce: that the visible "From" domain *aligns* with the domain SPF or DKIM authenticated, and what to do — deliver, quarantine, or reject — when a message fails. Domain spoofing is a primary enabler of phishing, and phishing is the dominant attack route against UK businesses, so closing this gap matters. DMARC is one of the core controls in any serious managed cybersecurity and email security programme. The NCSC recommends DMARC for all UK organisations and mandates it for government email domains.
How do SPF, DKIM and DMARC work together?
DMARC does not work alone — it ties together two older standards. SPF checks which servers are allowed to send for your domain. DKIM cryptographically signs each message. DMARC adds alignment and an enforcement instruction on top, turning two partial checks into a single, enforceable policy.
- SPF (Sender Policy Framework) — a DNS record listing the mail servers authorised to send for your domain. Receiving servers check the sending IP against that list. SPF only validates the envelope sender (Return-Path), not the "From" address the recipient sees.
- DKIM (DomainKeys Identified Mail) — adds a cryptographic signature using a private key on your mail server, verified against a public key in your DNS. It proves the message came from an authorised server and was not altered in transit.
- DMARC — requires the visible "From" domain to align with the SPF- or DKIM-authenticated domain, then tells the receiving server whether to deliver, quarantine, or reject failures.
| Standard | What it checks | What it cannot do alone |
|---|---|---|
| SPF | Authorised sending IPs (envelope sender) | Cannot protect the visible "From" header |
| DKIM | Message signature and integrity | Cannot enforce a policy on failures |
| DMARC | Alignment + enforcement action | Needs SPF and/or DKIM beneath it |
Without alignment, an attacker can pass SPF using a domain they control while spoofing a different domain in the header the recipient actually reads. DMARC is what closes that loophole.
What are the three DMARC policy levels?
DMARC is published as a DNS TXT record with three policy settings, adopted progressively as you gain confidence in your configuration. You start in monitor mode, tighten to quarantine, then enforce with reject — the only level that fully blocks spoofing.
| Policy | What happens to failing mail | When to use it |
|---|---|---|
| `p=none` (monitor) | Delivered normally; aggregate/forensic reports sent | Initial deployment — discover every legitimate sender |
| `p=quarantine` | Delivered to spam/junk | Intermediate test step before full enforcement |
| `p=reject` | Rejected outright, never delivered | Final state — full protection against spoofing |
The NCSC recommends every UK organisation aim to reach `p=reject`. Until you get there, your domain still offers attackers an open door.
Why do UK businesses need DMARC?
Because email is still the primary attack vector, and an unprotected domain is a weapon criminals can point at your own customers, suppliers and staff. Without DMARC at `p=reject`, fraudulent invoices, payment-redirect requests, and business email compromise (BEC) all become easier to pull off in your name.
The numbers make the case. 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025), and 85% of breaches experienced by UK businesses involved phishing (DSIT 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025. The average cost of a data breach for UK organisations was £3.58 million in 2024 (IBM 2024).
There is a deliverability upside too. Google and Microsoft treat DMARC compliance as a positive spam-filtering signal, so genuine mail from a `p=reject` domain is more likely to land in the inbox. Google and Yahoo introduced requirements in 2024 mandating that bulk senders implement DMARC, confirming the industry-wide shift to enforcement. Pairing DMARC with phishing protection covers both the inbound and the impersonation side of email risk.
How do you implement DMARC step by step?
Implementation is a phased process, not a single switch. Rushing straight to `p=reject` will block legitimate mail. The safe path audits every sender first, then tightens enforcement in stages over roughly four to eight weeks.
1. Audit your sending sources — list every system that sends as your domain: Microsoft 365 or Google Workspace, marketing tools (Mailchimp, HubSpot), CRMs (Salesforce, Dynamics 365), transactional services, and helpdesk systems. Miss one and its mail will fail once you enforce. 2. Configure SPF and DKIM — publish an SPF record covering all authorised servers and enable DKIM signing on your primary platform and every third-party sender, usually via a CNAME or TXT record. 3. Publish DMARC at `p=none` — add the record with a reporting address and monitor aggregate reports for four to eight weeks to confirm legitimate sources pass. 4. Move to `p=quarantine` — once monitoring is clean, tighten to quarantine for a further two to four weeks and resolve any legitimate mail caught incorrectly. 5. Enforce with `p=reject` — switch to reject so spoofed mail is blocked. Keep reviewing reports as your sending services change.
How should you monitor DMARC over time?
DMARC is not set-and-forget. Your sending landscape shifts — new marketing tools, a changed CRM, a service a staff member signs up for — and each change can create an SPF or DKIM gap that breaks legitimate mail under `p=reject` or goes unseen under a weaker policy. Ongoing report review is what keeps enforcement safe.
This is where managed monitoring earns its keep. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), so DMARC reports often become the first early-warning signal of an email-based attack on a domain. Reviewed regularly, they flag both misconfigurations and active spoofing attempts before they cause damage — which is why DMARC sits naturally alongside incident response.
How does AMVIA implement and manage DMARC?
AMVIA configures DMARC, SPF and DKIM for UK SMEs, manages the phased progression from `p=none` through `p=quarantine` to `p=reject`, and monitors aggregate reports so your domain stays protected as your business evolves. One provider, security-first, Microsoft-certified engineers — no hand-offs between vendors.
Typical implementation is four to eight weeks for straightforward setups, longer where multiple marketing platforms, CRMs or third-party senders are involved. It runs as part of our managed email filtering and email security service, and complements Microsoft Defender for Business for organisations standardising on Microsoft 365. Contact AMVIA on 0333 733 8050 to discuss DMARC implementation for your business.
Key Points
What you need to know.
Why It Matters
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).
How It Works
67% of medium businesses and 74% of large businesses reported breaches in 2025.
UK Requirements
Relevant UK regulations, standards, and compliance considerations.
Getting Started
Practical first steps for businesses of any size.
Key Considerations
Assess your current position and identify gaps
Understand relevant UK regulations and standards
Implement appropriate technical controls
Train staff on security awareness
Review and update regularly
Consider managed service options for specialist areas
Frequently Asked Questions
SPF publishes a DNS record listing the mail servers authorised to send from your domain. DKIM attaches a cryptographic signature proving the message was not altered in transit. DMARC ties both together by enforcing domain alignment and instructing receiving servers to quarantine or reject failures. Without DMARC, failed SPF or DKIM checks may still be delivered.
At `p=none`, DMARC only monitors — fraudulent emails spoofing your domain are still delivered. Moving to `p=reject` instructs receiving servers to block them outright. Since 85% of breaches experienced by UK businesses involved phishing (DSIT 2025), and domain spoofing enables many of those attacks, `p=reject` is the only policy that actively protects your customers and partners.
It can, if those services are not in your SPF record or set up with DKIM before enforcement begins. That is why implementation is phased: four to eight weeks at `p=none` to audit all legitimate senders — marketing platforms, CRM tools, helpdesk systems — then `p=quarantine` for testing, and finally `p=reject` once every authorised sender passes cleanly.
For a business with a straightforward email setup, expect four to eight weeks to move safely from `p=none` to `p=reject`. Organisations using several marketing platforms, multiple CRMs, or many third-party sending services need longer, because every one of those senders must be authenticated through SPF and DKIM before enforcement is applied.
DMARC is not law, but the NCSC recommends it for all UK organisations and mandates it for government domains. Google and Yahoo have required bulk senders to use DMARC since 2024, and a growing number of cyber insurance policies expect email authentication. In practice, any UK business sending email to customers should treat DMARC as essential.
Yes. Google and Microsoft treat DMARC compliance as a positive signal in spam filtering, so genuine mail from a domain enforcing `p=reject` is more likely to reach the inbox than mail from a domain without DMARC. Authentication gives receiving servers confidence the message is genuine, which reduces the chance of legitimate email being filtered.
Need Help With This?
AMVIA can assess your current position and recommend practical next steps.
Related Resources
Email Security and Phishing Protection for UK Businesses
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
The Complete Guide to Managed Cybersecurity for UK…
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
What Is Email Security? A Guide for UK Business Owners
In-depth explainer on email security? a guide for uk business owners for UK businesses. Key concepts, best practices, and practical…
How to Protect Your Business from Phishing Attacks
In-depth explainer on how to protect your business from phishing attacks for UK businesses. Key concepts, best practices, and practical…
Protect your business → Get Cybersecurity Assessment