The Hook
Right now, anyone in the world can send an email that looks like it came from your domain — unless 3 specific DNS settings are turned on.
Why It Matters
Email is still how 9 out of 10 cyberattacks start. When SPF, DKIM, and DMARC aren't configured correctly, attackers can spoof your domain to phish your customers, your vendors, and your own staff — and your real emails quietly start landing in spam folders.
The fix takes about 30 minutes for most small businesses. The cost of skipping it: lost wire transfers, breached accounts, broken trust, and cyber insurance claims that get denied because basic email authentication wasn't in place.
🔐 The short version: 3 DNS records do most of the work. ~30 minutes to set up. $0 in licensing — it's all built into the email system you already pay for.
📧 The 5 Practical Steps
1. 🛡️ Set Up SPF — Your Domain's "Guest List"
SPF (Sender Policy Framework) is a public list that tells the world which servers are allowed to send email on behalf of your domain. Think of it as the guest list at the door. If a server isn't on the list, the receiving mail server knows the message is suspicious. The catch: SPF allows a maximum of 10 DNS lookups, and stale entries from old vendors will silently break it.
🔧 Quick Win: Inventory every system that sends email as you — Microsoft 365, your CRM, your accounting tool, your help desk — and list only those. 1 DNS record, done in 10 minutes.
2. ✍️ Turn On DKIM — A Tamper-Proof Signature
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every email you send — like a tamper-proof wax seal on an envelope. The receiver checks the seal; if the message was forged or altered in transit, the seal breaks and the email gets flagged. Without DKIM, DMARC can't reach full enforcement.
🔧 Quick Win: Microsoft 365 and Google Workspace each support DKIM with a 2-record DNS update. About 5 minutes per sending service.
3. 📋 Publish DMARC — The Rulebook
DMARC (Domain-based Message Authentication) is the rulebook that tells receiving mail servers what to do when an email fails SPF or DKIM — quarantine it, reject it, or just report on it. It also sends you a daily report showing exactly who is trying to impersonate your domain.
🔧 Quick Win: 1 DNS record publishes your policy. Reports start flowing within 24 hours.
4. 🐢 Start in Monitor Mode, Then Tighten the Lock
This is the step most businesses skip — and it's the one that actually stops spoofing. Run DMARC in monitor mode (p=none) for 2 to 4 weeks to see who's sending email as you. Then move to p=quarantine. Finally, p=reject. Going straight to reject without monitoring will block your own legitimate emails the day you turn it on.
🔧 Quick Win: 3 stages, 4 to 8 weeks total. By the end, attackers can't impersonate your domain — and your real emails still land where they should.
5. 📨 Actually Read the DMARC Reports
The reports show, in real time, every server trying to send email as you. They're how you discover the marketing tool somebody set up 2 years ago and forgot to add to SPF — or the attacker probing your domain at 3 AM. Without somebody reading them, you're flying blind.
🔧 Quick Win: Use a DMARC parsing service or a dedicated mailbox. ~10 minutes a week is enough to stay ahead of 99% of issues.
📋 The Honest Take
SPF, DKIM, and DMARC aren't new. They aren't complicated. They aren't expensive. They are, however, missing or misconfigured at most small businesses we audit — usually because the original setup was done in a hurry, or a vendor was added later and SPF was never updated.
If your domain is missing even one of these, attackers can probably spoof you today — and you'd never know.
🔎 Want a Second Pair of Eyes on Your Email Security?
That's exactly what a VanTech IT Audit is for.
We'll run a 10-point review of your current setup — including SPF, DKIM, DMARC, and the rest of your security stack — and give you a plain-English report of where you stand. No jargon, no upsell pressure, usually delivered in under a week.
👉 If you'd like us to check your security, contact us for an IT audit. 10-point checklist. Usually completed in 5 business days. Obligation-free.