What Is DMARC and Why Does It Matter for UK Businesses?

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is an email authentication protocol that builds on two earlier standards — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — to give domain owners control over how receiving mail servers handle emails that claim to come from their domain but fail authentication checks.

In plain terms: DMARC prevents criminals from sending emails that appear to come from your business's domain. Without DMARC, anyone can send an email that looks like it came from yourcompany.co.uk. With DMARC set to enforce, those fraudulent emails are rejected before they reach inboxes.

The NCSC recommends DMARC for all UK organisations and has made it a requirement for UK government email domains. DMARC implementation has also been identified as a key control by the Cyber Essentials scheme and is required by many cyber insurance policies.

How DMARC Works with SPF and DKIM

SPF (Sender Policy Framework)

SPF is a DNS record that lists the mail servers authorised to send email on behalf of your domain. When a receiving mail server receives an email from yourcompany.co.uk, it checks the SPF record to see whether the sending server is on the approved list. If it is not, SPF fails.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outbound emails. This signature is generated using a private key held by your mail server and can be verified by receiving servers using a public key published in your DNS records. If the email has been tampered with in transit, or if it was not sent by an authorised server, DKIM verification fails.

DMARC Ties It Together

DMARC tells receiving mail servers what to do when an email fails SPF or DKIM checks, and ensures that the domain in the From header aligns with the authenticated domain. Without DMARC, a mail server might accept a failed SPF check anyway. With DMARC, the domain owner specifies the policy: monitor, quarantine, or reject.

DMARC Policy Levels

DMARC is implemented as a DNS TXT record and offers three policy settings:

• p=none — Monitor mode. Emails that fail authentication are still delivered, but DMARC reports are sent to the address specified in the record. This is used during initial deployment to understand legitimate email flows before enforcing the policy.
• p=quarantine — Emails that fail authentication are delivered to the recipient's spam or junk folder rather than the inbox. This provides partial protection while allowing the sender to review failures before moving to full enforcement.
• p=reject — Emails that fail authentication are rejected outright and never delivered. This is the recommended final state and provides full protection against domain spoofing. The NCSC recommends moving to p=reject as the goal for all UK organisations.

Why Businesses Need DMARC

Without DMARC at p=reject, your domain can be used by anyone to send phishing emails that appear genuine. This creates risk for your customers (who may receive fraudulent emails appearing to be from you), your suppliers (who may be targeted with invoice fraud using your domain), and your own staff (who may receive internal-looking phishing emails from an external source).

Business Email Compromise (BEC) attacks frequently exploit domains that lack DMARC enforcement. Implementing DMARC at p=reject removes this attack vector entirely. It also improves email deliverability for your genuine emails, as major providers including Google and Microsoft now use DMARC compliance as a signal in spam filtering decisions.

How to Implement DMARC

DMARC implementation involves several steps: publishing SPF and DKIM records for all sending domains, publishing a DMARC record at p=none, monitoring DMARC reports to identify all legitimate email sources, updating SPF and DKIM records to cover all legitimate sources, and gradually moving through p=quarantine to p=reject once all legitimate sending is covered.

The process typically takes four to eight weeks for businesses with straightforward email configurations. Organisations using multiple marketing platforms, CRMs, or third-party sending services must ensure each is correctly configured before moving to enforcement.

How AMVIA Implements and Manages DMARC

AMVIA configures DMARC, SPF, and DKIM records for UK SMEs, monitors DMARC reports to identify legitimate and illegitimate sending sources, and manages the progression from p=none through to p=reject. Our ongoing managed email security service includes DMARC monitoring and alerting — ensuring your domain remains protected and your DMARC policy continues to cover all legitimate email flows as your business evolves.