What is DMARC, DKIM and SPF and Does Your Business Have Them?
Pboro: +44 (0)1733 577055 London: +44 (0)20 3598 8412 Portland: +1 971 350 2061 Dubai: +971 (0)4450 9720
Back To Blog

What is DMARC, DKIM and SPF and Does Your Business Have Them?

Written by

Close up of Desktop and Servers - Banner image

Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) are the three checks that help prove your business emails are legitimate. They protect your domain from impersonation, reduce failed deliveries, and stop criminals using your name to reach customers, suppliers, or staff.

Microbyte has been operating since 1992, and we hold Cyber Essentials Plus ourselves, not just as a service we sell to clients. This guide explains what these records do, why Google, Yahoo, Microsoft, and compliance frameworks now care, and how to check whether your business is protected.

Why Email Sender Identity Fails in the First Place

The fundamental flaw of the original Simple Mail Transfer Protocol (SMTP) is its inability to natively verify the identity of the sender, allowing malicious actors to trivially forge the “From” address. That means a criminal can make an email look like it came from your finance team, director, or supplier.

That flaw is why invoice fraud and phishing attacks often start with a message that looks normal. In plain English, Simple Mail Transfer Protocol (SMTP) was built to move mail, not to prove identity, as explained in this DMARC overview (fortinet.com).

The Three Checks That Close the Gap

To close this gap, the email industry developed three interwoven protocols: SPF, DKIM, and DMARC.

SPF validates the physical origin of the email, which means the sending server. DKIM validates the cryptographic integrity of the message payload, and DMARC enforces policy alignment while providing critical feedback mechanisms to domain administrators.

For a business owner, the point is not the protocol name. The point is knowing that your domain cannot be easily used against you.

Why Email Authentication Became A Business Requirement

The convergence of strict technical mandates from global mailbox providers, spearheaded by Google, Yahoo, and Microsoft, alongside rigorous compliance frameworks like Payment Card Industry Data Security Standard (PCI DSS) v4.0, has transformed SPF, DKIM, and DMARC from obscure IT acronyms into critical business lifelines.

For Managed IT Service Providers operating in the United Kingdom (UK), United States of America (USA), and Dubai, deploying and managing these protocols on behalf of clients is no longer merely an element of good cybersecurity hygiene. It is a foundational requirement for business continuity, regulatory compliance, and brand protection.

The 2024 and 2025 Deadlines

The rules tightened in stages, and the dates matter because the enforcement period has already started.

  • In October 2023, Google and Yahoo sender requirements (proofpoint.com) set new standards that reached full SMTP-level enforcement by April 2024.
  • Google defines bulk senders as organisations sending more than 5,000 messages per day to Gmail accounts, with requirements covering authentication, alignment, and one-click unsubscribe.
  • Following Google and Yahoo, Microsoft announced strict DMARC enforcement protocols for high-volume senders to consumer endpoints such as outlook.com, hotmail.com, and live.com, effective May 5, 2025, according to this Microsoft enforcement summary (mimecast.com).
  • Organisations must maintain user-reported spam complaint rates strictly below 0.3%, with 0.1% recommended, as covered in these spam sender requirements (mxtoolbox.com).

The Enforcement Gap

As of early 2026, extensive monitoring of the global email system shows that 70.7% of domains worldwide have no effective DMARC protection. Q1 2026 analysis also reports an 88.99% global DMARC pass rate for active domains, while 14.54% of all emails still fail SPF checks.

Those figures come from 2026 DMARC adoption data (dmarcdkim.com), and they explain why mailbox providers are no longer treating this as optional. If your setup is missing or weak, deliverability can become a board-level issue, which is why our vCIO guide puts email identity into wider IT governance.

Compliance Evidence

The compliance angle matters too. If a client has regulatory obligations, board reporting requirements, or ISO 27001 evidence needs, email authentication provides a clear control that can be tested, documented, and improved rather than left as a vague security assumption.

Rapid7 reporting on the FTSE 250+ found that 70% of those prominent UK firms had not implemented DMARC at all, which shows the problem is still widespread even among large organisations with bigger security budgets.

SPF Records: What They Do and Where They Break

A domain administrator publishes an SPF record as a standard Domain Name System (DNS) text (TXT) record, specifying the Internet Protocol (IP) addresses, domains, and external mail servers authorised to transmit email on behalf of that specific domain.

When a receiving mail server processes an incoming message, it queries the DNS infrastructure of the domain listed in the envelope sender, known as the `Return-Path`, to retrieve the SPF record. If the sending system is listed, the check passes.

The Ten-Lookup Problem

Most notably, the SPF protocol imposes a strict limit of ten DNS lookups. If a domain’s SPF record requires more than ten nested lookups, often caused by the over-utilisation of the `include:` directive for third-party marketing and Customer Relationship Management (CRM) platforms, the authentication process will fail.

We see the risk when a business adds Microsoft 365, a marketing platform, a ticketing system, and a billing tool over time. Each one may be legitimate, but the final record can still break.

  • The receiver reads the `Return-Path` domain.
  • The receiver finds the matching SPF record in DNS.
  • The receiver checks whether the sending service appears in that record.
  • The receiver fails the check if the lookup chain exceeds ten queries.
  • The receiver records the authentication result and passes that result to DMARC.

Why SPF Still Needs Alignment

SPF only validates the `Return-Path` domain, not the visible `Header From` address that end-users see, leaving a critical loophole for spoofing if used in isolation. That is why origin checks help, but they cannot prove the message stayed intact.

Forwarding can also complicate results, especially when a supplier or helpdesk system relays mail through another service. A clean setup should check the DNS record, the live authentication result, and the alignment that DMARC will actually judge.

How DKIM Proves A Message Is Genuine

While SPF focuses on the origin of the message, DKIM focuses on the integrity and non-repudiation of the message content. Non-repudiation means the sender cannot easily deny that the message came from an authorised system.

The domain owner generates a cryptographic key pair, publishing the public key in their DNS as a TXT record and securely storing the private key on their outbound mail server. The private key signs outgoing messages.

The Signature Check

Upon receipt, the destination server extracts the DKIM signature, retrieves the sender’s public key via DNS, and attempts to decrypt the signature. If the decrypted hash matches a newly calculated hash of the received message, DKIM passes, guaranteeing that the email was authorised by the domain owner and that its contents were not altered in transit by an unauthorised third party.

For live business systems, we normally expect 2048-bit Rivest-Shamir-Adleman (RSA) keys where the sending platform supports them. Shorter or shared keys can become a maintenance problem later.

Platform by Platform Signing

Each sending platform needs its own signing setup, because one working Microsoft 365 signature does not prove that every other system is protected.

  • Marketing, billing, helpdesk, finance, and website form tools should each be checked separately.
  • Key rotation should be scheduled, not left until something fails.
  • Failed signatures should be investigated before enforcement is tightened.
  • New suppliers should not be allowed to send on your domain until signing has been confirmed.

DKIM proves that a message has not been tampered with, but it still needs DMARC to check whether the visible sender matches the authenticated domain. Without that alignment check, a business can still have a technically signed email that does not give receivers enough proof to block impersonation.

DMARC Records and Policy Enforcement

DMARC, standardised under RFC 7489 standard (ietf.org), acts as the overarching policy enforcement and reporting framework that unifies SPF and DKIM. It addresses the vulnerabilities of both checks by enforcing Identifier Alignment.

For a message to pass DMARC, it must pass either SPF or DKIM validation, and the domain validated by the successful protocol must match, or align with, the visible `Header From` domain presented to the end-user.

What the Policy States Means

DMARC records are also published as DNS TXT records under the `_dmarc` subdomain. They instruct receiving servers on how to handle messages that fail authentication.

The usual route is first to `p=quarantine`, which instructs receivers to send unaligned mail to spam, and ultimately to `p=reject`, which drops fraudulent mail at the gateway. That staged approach matters because jumping straight to rejection can block real systems if sales, accounts, or operations tools have not been found.

Once reporting shows a 99%+ compliance rate for legitimate senders, we can move from monitoring to enforcement with far less risk. The practical question is whether your own domain is still stuck at monitoring.

Does Your Business Have Them? How to Check Without Guessing

You can check whether your business has DMARC, DKIM, and SPF by reviewing your DNS settings, your mail platform, and your latest authentication results. A valid record is only the starting point, because the real test is whether your live systems pass consistently.

A domain can look protected at first glance and still leak trust through a forgotten marketing tool. That is common when different teams add systems without telling IT.

The Minimum Check

Use this quick sequence before assuming the setup is complete:

  • Check DNS for a single SPF record, DKIM public keys for each sender, and a DMARC record under `_dmarc`.
  • Review recent message headers or DMARC aggregate reports to confirm legitimate systems pass in practice.
  • Compare every sending tool against the visible `Header From` domain, because alignment is what determines DMARC success.

What A Clean Audit Looks Like

A proper audit should produce evidence, not reassurance. We want to know which systems send mail, which ones pass, and which ones need correction.

The evidence should cover these points:

  • One SPF record exists, and it stays under the ten-lookup limit.
  • Every authorised sending platform has DKIM enabled.
  • The DMARC record exists under `_dmarc`.
  • The policy has a clear path from `p=none` to `p=quarantine` and then `p=reject`.
  • A DMARC report is reviewed, not ignored.
  • Spam complaint rates stay below 0.3%, with 0.1% used as the safer target.
  • One-click unsubscribe is configured where marketing messages require Request for Comments (RFC) 8058 support, as defined in the one-click unsubscribe standard (ietf.org).

Turning Checks Into Control

A good review also identifies who owns each sending system. That matters when finance, sales, recruitment, and marketing all rely on different platforms that can quietly change settings after a product update or supplier migration.

If your leadership team already uses Power BI, these reports can become part of a simple security dashboard. A check tells you the current state, but a managed roll-out prevents the fix from blocking legitimate systems.

How We Roll This Out Without Breaking Business Email

For Microbyte, this sits under Stamp Out Support: proactive prevention rather than reactive break-fix. The aim is to stop fraudulent mail, protect customer trust, and keep business communication flowing without surprise outages.

We provide Managed IT and Support Services to businesses in the UK, USA, and Dubai, with our head office in Peterborough, London support from Bermondsey Street, and Dubai support around Business Bay and the Dubai International Financial Centre (DIFC). Our own engineers support clients 24/7/365, including through our Philippines-based helpdesk and Security Operations Centre (SOC).

Our Roll-Out Order

We do not treat this as a one-record job. We treat it as a controlled change to a live business system, and we don’t tighten enforcement until the real senders have been checked.

  • We list every legitimate sender, including Microsoft 365, CRM, accounts, ticketing, marketing, and website forms.
  • We repair SPF and remove avoidable lookup waste.
  • We enable DKIM per platform, including 2048-bit RSA keys where supported.
  • We publish DMARC in monitoring mode and review report data.
  • We correct alignment issues in the visible sender and signing domains.
  • We move to quarantine, then rejection, once legitimate mail is stable.
  • We keep monitoring, because tools and suppliers change.

Governance and Monitoring

Email identity works best as part of a wider security setup. That is why we often pair this work with endpoint protection, awareness training, and Microsoft Defender for small and medium-sized businesses.

We hold Cyber Essentials Plus and align controls to International Organisation for Standardisation (ISO) 27001 and ISO 27018. The Cyber Essentials overview (ncsc.gov.uk) is a useful baseline for UK businesses that want a government-backed security standard without enterprise complexity.

For regulated or security-conscious organisations, we document the sender inventory, DNS changes, policy decisions, and monitoring results. That record gives leadership and auditors a practical view of risk reduction instead of a one-line claim that authentication has been “set up”.

What Happens If You Leave This Unmanaged

If email authentication is left unmanaged, the risk turns commercial very quickly. A fake invoice, blocked sales quote, or missing operational alert can cost far more than the time needed to fix the records properly.

Take a Peterborough manufacturer sending a quote to a Financial Times Stock Exchange (FTSE) 250 procurement team. If the message fails authentication and lands in spam, the business may never know the opportunity was lost.

Common Failure Signals

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 moved important anti-phishing controls from good practice towards stronger mandates effective March 31, 2025, as explained in this PCI DSS v4.0.1 update (pcisecuritystandards.org).

For firms in London financial services, Dubai International Financial Centre, legal, healthcare, manufacturing, and professional services, failed email trust is not just an IT issue. It affects compliance, client confidence, and the ability to trade without friction.

The risk is not limited to large senders. Smaller firms can be more exposed because they often rely on several cloud tools, yet do not have a formal process for checking whether those tools are allowed to send mail for the domain.

FAQ

Keep these three points in mind before making changes:

  • Set-up belongs in public DNS records and the sending platform admin portals.
  • Enforcement should move in stages, not in one blind change.
  • Monitoring should continue after `p=reject`, because suppliers and tools change.

What Are SPF, DKIM and DMARC, and Does My Business Need All Three?

SPF checks whether a sending service is allowed to send for your domain, DKIM proves the message was signed and not changed in transit, and DMARC tells receivers what to do when those checks fail. Every business that sends email from its own domain should use all three because it’s a basic protection against spoofing and delivery failure.

How Do I Authenticate My Email With SPF, DKIM and DMARC?

You authenticate email by publishing the correct DNS records, enabling DKIM signing in each sending platform, and adding a DMARC policy under the `_dmarc` subdomain. Then you review the results and fix any platform that fails before moving from monitoring to quarantine or rejection.

How Do I Pass DMARC Verification?

To pass DMARC verification, a message must pass SPF or DKIM, and the authenticated domain must align with the visible `Header From` domain. In plain terms, the receiver needs proof that the message came from an approved system and that the sender shown to the reader matches.

If you’re not sure whether your business has DMARC, DKIM, and SPF set up properly, Microbyte can check it for you. Contact our Peterborough, London, Woking, Lincoln, or Dubai team, and we’ll tell you what’s working, what’s exposed, and what it would cost to fix it.

Similar blogs

Outsourced IT Support London

How AI is Making Phishing Attacks Harder to Spot

Artificial intelligence (AI) is making phishing harder to spot because it removes the old clues staff were taught to look for, then personalises the message at speed. Research by Keepnet Labs and VIPRE Security Group (zensec.co.uk) reveals that 82.6% of phishing emails detected between September 202

Avatar photo

Written by

Read More
Outsourced IT Support London

What is Zero Trust Security?

Zero trust security is a way of protecting your business by checking every person, device, and application before access is allowed. The blunt idea is this: trust is earned every time, not granted because someone is inside the office network.

Avatar photo

Written by

Read More
Outsourced IT Support London

Does Microsoft 365 Back up Your Data?

No. Microsoft keeps the cloud service running, but your business remains responsible for protecting, restoring, and providing access to its own files, emails, Teams content, and SharePoint sites. The straight answer matters because native recovery settings are not the same as a tested recovery plan

Avatar photo

Written by

Read More
Outsourced IT Support Services with Microbyte

Outsourced IT vs In-House IT: Which Is Right for Your Business?

Choosing between outsourced IT and in-house IT is one of the most consequential decisions a business leader can make. Get it wrong, and you end up either overpaying for a team that sits idle or under-resourced when a critical system fails. Get it right, and your IT becomes a genuine business advanta

Avatar photo

Written by

Read More
IT Support Cambridge

What Is Microsoft Entra ID?

Microsoft Entra ID is the cloud-based identity and access management (IAM) system that controls who can log into your business’s apps, devices, and data. If your team uses Microsoft 365, they’re already using it.

Avatar photo

Written by

Read More
Latest update+
What is DMARC, DKIM and SPF and Does Your Business Have Them?

Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) are the three checks that help prove your business emails are legitimate. They protect your domain from impersonation, reduce … Read more

Posted 21 May 2026

Sign up for Latest News & Information-
  • This field is for validation purposes and should be left unchanged.
Social Media+
Head Office-
Microbyte Solutions
6 Commerce Road
Lynchwood
Peterborough
PE2 6LR
Tel: +44 (0)1733 577055
London Office+
Microbyte Solutions (London)
Stage House
47 Bermondsey St
London
SE1 3XT
Tel: +44 (0)20 3598 8412
Portland Office+
Microbyte Solutions (Woking)
2175 NW Raleigh St
Suite 110 Portland,
OR 97210,
United States
Tel: +1 971 350 2061
Dubai Office+
Microbyte Solutions (Dubai)
1112 Al Manara Tower
Marasi Drive
Business Bay
Dubai
Tel: +971 (0)4450 9720
Our Partners+
microsoft-partner
IT Support-
Microbyte Solutions
Managed Services-
Microbyte Solutions
IT Solutions-
Microbyte Solutions
Sectors-
Microbyte Solutions

© 2026 Microbyte Solutions Limited. Company Registered in England & Wales Reg No.: 04579492 VAT No.: 861 4569 06.