DMARC

---

DMARC: The Digital Seal of Authenticity for Your Email

What is DMARC?

Think of DMARC as a digital passport control for your business. Established as a global standard in 2015, it is a security standard that clearly defines who is—and who isn’t—authorised to send email using your company’s name.

While it sounds technical, it is now a fundamental requirement for modern business:

• Government Standard: A core requirement of the UK Government’s Cyber Essentials Certification.
• Financial Necessity: As of April 2025, the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 requires this. If you handle card payments, DMARC is no longer optional—it’s a prerequisite for doing business.

The Bottom Line: Without DMARC, what is stopping a criminal from emailing your customers, impersonating you, and asking them to redirect a payment to a fraudulent account?

---

Why is it a Business Priority?

Most cyberattacks don’t break through your firewall; they walk through the front door via email. DMARC is your first line of defence against:

1. Impersonation: Preventing hackers from “wearing your face” to scam your clients.
2. Internal Fraud: Stopping “spoofed” emails that look like they came from the CEO asking the finance team for an urgent wire transfer.
3. Governance & Visibility: DMARC provides a “flight recorder” for your domain, showing you exactly who is sending mail on your behalf globally.

---

The State of the Market: Who is Protected?

Adoption varies wildly, and it often highlights which industries take their “Duty of Care” seriously:

• Banking – almost perfect, almost all have p=reject
• Leading Law firms – almost perfect, most have p=reject, and at least none have p=none!
• East Kilbride Law firms – very poor show!
• Up market Scottish hotels – very mixed, I expected better from this market sector!
• UK Delivery Companies – almost perfect, as expected given how much this sector has been targeted.
• UK Energy providers – generally good but still too many who should do better!
• NHS – given the history of NHS data breaches this isn’t too surprising and quite shameful.

---

Common Executive Pitfalls

Don’t let “IT Speak” hide the fact that your defence might be turned off. Watch out for these traps:

1. The “Observation Only” Trap: Setting a policy to p=none. This is like hiring a security guard who only watches the CCTV but isn’t allowed to stop the thief. It’s a fine first step for a week or two, but it isn’t “protection”.
2. The “Silent” Policy: Setting a policy to p=quarantine without a reporting address. This is burying your head in the sand—you’re blocking mail without any visibility into whether you’re accidentally blocking your own legitimate invoices or marketing.
3. Failure to protect all brands: many companies have multiple brand identities, often keeping their email identity separate from their website identity. ALL associated domain names need DMARC protection, including any ‘parked’ domains.

---

Where to Start?

You can audit your company’s “digital health” in seconds:

• Check your status: Use the UK Government’s Email Security Check provided by the National Cyber Security Centre (NCSC).
• Get Visibility: Services like Valimail offer free monitoring to help you see who is using your domain today.