With email being the primary method of communication for businesses, it is surprising how little the underlying architecture has changed, particularly with regard to security.

There is often the assumption that emails are secure and safe methods of sharing information but fundamentally, most emails remain insecure and easily targeted by cyber criminals.  Rather than thinking of email as a trusted and secure delivery method we need to think of a postal service prior to the introduction of the Royal Mail – a unregulated network of individuals who moved letters from local hub to hub with the sender having little or no control of their letter.

There are some basic measures which have been in place for a while – SPF and DKIM (see Glossary below).  DMARC builds on the functions of these two measures, adding a further security layer.  It was jointly created by PayPal, Google, Microsoft, and Yahoo through a collaboration to drive email compliance and security.

Whilst DMARC is not compulsory, insurers, governing bodies and some clients are beginning to ask that firms have it in place.

DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”.

Your domain, in this sense, is the part of your business email address that comes after the @, i.e. ‘lawfirm.co.uk’.  All of your outgoing and incoming email addresses pass through this domain.

You may have more than one domain in use – your firm’s domain and then perhaps a marketing service which has something else after the @ in the sending email address.

One of the targets for cyber criminals is to send emails that ‘spoof’ your domain, either by using a similar looking name or, in some cases, by using an exact match.  In this way, they can use your domain to send SPAM emails either in bulk or for targeted attacks on your clients or other parties.

DMARC allows you to add some hidden text in the header of your email so that you can confirm to recipients that the email is definitely from your domain or domains (DMARC is applied to all domains) – a colleague once said to me that it is like applying an old-fashioned wax seal to your emails!

DMARC also suggests to the recipient what they should do with an email that is a spoof or spam.  It can either recommend that the email is rejected or quarantined.

Effectively, if you apply DMARC you are protecting yourself, your brand and all parties you deal with against spoof email attacks purporting to come from your own domain.  The more firms that have DMARC in place, the more protection we all have. In short, by implementing DMARC you are enabling other people to check that they are receiving genuine email from yourself.

When you receive emails from external senders, your email filtering software will look for DMARC record and will use this to decide which emails get quarantined or rejected.

Setting up DMARC requires some time for analysis of your email traffic.  Initially, you set it up in ‘report only’ mode so that you can examine the email traffic going out through your domain.  You choose which emails you are going to allow – all other traffic will be rejected.  This is why it is important to do the initial analysis in report mode, otherwise you may be blocking genuine traffic.

Like all security solutions DMARC should not just be turned on and forgotten, the system needs regular monitoring and analysis of activity to manage and fine-tune results.  Many providers offer “DMARC as a Service” which tends to be longer term than just the “installation”, and includes regular analysis and reporting which might be beneficial, especially those without an internal IT team.

For firms that have a Managed Service Provider (MSP) maintaining their IT environment, the MSP should be able to advise you as to their method of deploying DMARC (often using third party specialists).  If you have an email security product, that provider may offer DMARC implementation and monitoring as a service.  Otherwise a little research on the internet should help you to find a good DMARC service provider. 

The cost of implementation and a wrap-around service varies, so it is worth a little research before embarking on the project.

Baskerville Drummond are of course happy to advise on selection and implementation, if you feel a little extra support is needed.  Otherwise, hopefully this has simply helped to demystify DMARC.

Written by…

Cathy Kirby


  • SPF : Sender Policy Framework, which uses the IP (internet) address ranges for your business to confirm that emails have come from you.
  • DKIM : DomainKeys Identified Mail, which verifies email was sent from the correct server by applying a signature via encrypted ‘keys’.
  • DMARC : Domain-based Message Authentication, Reporting and Conformance.  Requires both SPF and DKIM to work.