Did you know that without the right setup, anyone can send an email in your company’s name? They just write your address as the sender and the customer gets a fraudulent message that looks like it is from you. Three records protect against this: SPF, DKIM and DMARC. Let us explain what they do and why a company needs them.

The problem: anyone can pose as your company

Email was designed long ago and originally did not verify who really sends it. So without protection, a fraudster can send out emails pretending to come from your domain. Customers believe them, fall for the scam and your reputation suffers. This is called spoofing.

What SPF, DKIM and DMARC are

These are three records in your domain’s DNS that together verify that an email really comes from you:

  • SPF specifies which servers may send emails for your domain. The recipient can thus verify whether the message came from an allowed place.
  • DKIM adds a digital signature to the email, proving that no one altered the message in transit and it really is from you.
  • DMARC sets a rule on what to do with a message that fails the check (reject or quarantine) and sends you reports about abuse.

Why a company needs it

  • Protection against domain abuse, fraudsters cannot easily write in the company’s name.
  • Better deliverability, your emails land in spam less often.
  • Higher credibility in the eyes of customers and mail services.

How it is set up

The records are added to the domain’s DNS. First you need to know all your senders: your own mail server, Microsoft 365 or Google, a newsletter service and so on. DMARC is then tightened gradually, from monitoring to rejecting spoofed messages.

DMARC policies: from monitoring to rejecting

DMARC has three levels of strictness, and you move through them gradually:

  • none (monitoring) blocks nothing, it only sends you reports. It serves to map all your senders and see what would be rejected.
  • quarantine moves unverified messages to spam.
  • reject discards them outright, so a fraudster cannot abuse your domain.

The goal is to work your way up to reject, but only once the reports show that all your legitimate mail passes. Jumping straight to reject without this phase is the most common reason a company stops receiving its own emails.

Bonus: BIMI and a logo in the inbox

Once you have DMARC set to quarantine or reject, you can also add a BIMI record. Thanks to it, your company logo appears next to the email in the recipient’s inbox (supported by Gmail and Apple Mail, for example). It looks professional and at the same time helps the customer tell a genuine message from a spoof.

What to watch out for

Badly configured records can break the delivery of your own emails too if you forget one of the senders. So you need to know all the services that send on your behalf, and test the changes. This is also related to protection against phishing.

Want your company email protected and credible? Get in touch, we will set up SPF, DKIM and DMARC correctly as part of IT support for companies. The article on email with your own domain also helps.

This article is part of our Business and IT overview.