DMARC: The Email Security Standard You Can’t Afford to Ignore

And why “we’ve already got SPF and DKIM” is not the flex you think it is.

Dot. Dash. Delivered.
Or… impersonated, forwarded, spoofed, and used to rinse your finance team.

Let’s say the hard thing to say early:

Most cyberattacks don’t start with hackers.
They start with emails that look like they came from you.

And the reason that still works in 2026?
Because a shocking number of businesses still haven’t implemented DMARC properly, or at all.

This guide is your no-nonsense, business-grade explanation of DMARC, written for people who:

• Care about trust
• Send invoices
• Like their reputation intact
• Don’t enjoy awkward breach conversations

No fluff. No vendor theatre.
Just clarity, consequences, and control.

What This Guide Covers (AKA: Why This Is the DMARC Page)

This is the central hub for understanding DMARC properly.
In this guide, you’ll learn:

• What DMARC actually is (in plain English)
• Why email spoofing is still rampant
• The real-world business pain DMARC solves
• How DMARC works with SPF and DKIM
• DMARC requirements for modern businesses
• DMARC policy types explained (none, quarantine, reject)
• Common myths and costly mistakes
• Why DMARC now affects email deliverability, compliance, and insurance
• What “good” looks like in 2026 and beyond

If you want tactical deep dives, we’ll point you to those too.
This is your mothership.

The Email Security Problem Nobody Wants to Own

Email is still:

• The #1 attack entry point
• The easiest way to impersonate a brand
• The quietest way to steal money

Let’s ground this in uncomfortable reality:

• Over 90% of breaches start with email
• Phishing and impersonation dominate incident reports
• Business Email Compromise (BEC) has caused tens of billions in losses globally
• Most victims were not “hacked” – they were deceived

Here’s the kicker:

You don’t need weak systems to be abused.
You just need a domain without DMARC.

Attackers don’t care how secure your infrastructure is if they can simply pretend to be you.

What Is DMARC (Without the Buzzwords)

DMARC stands for Domain-based Message Authentication, Reporting & Conformance.

Ignore the acronym for now. Focus on the function.

DMARC tells the internet:

• Who is allowed to send email as your domain
• How to treat emails that fail authentication
• Where to send reports about impersonation attempts

Think of DMARC as:

A bouncer for your domain’s identity
Clipboard. Earpiece. Rules. Zero tolerance for fakes.

Without DMARC:

• Anyone can spoof your domain
• Email providers guess what to do
• Your brand gets dragged into scams you didn’t run

With DMARC:

• You define the rules
• Receivers enforce them
• Attackers move on to easier targets

How DMARC Works (And Why SPF & DKIM Alone Aren’t Enough)

DMARC sits on top of two older controls:

SPF – Sender Policy Framework

SPF answers:

“Is this server allowed to send email for this domain?”

It’s a DNS list (a directory within the Domain Name System that acts as a map, translating human-readable domain names, xyz.com for example, into machine-readable IP addresses, 192.021 for example) of approved senders.

The problem?

• It breaks with forwarding
• It checks the envelope sender, not the visible “From”
• It doesn’t stop brand spoofing on its own

DKIM – DomainKeys Identified Mail

DKIM cryptographically signs emails to prove:

“This email wasn’t altered and came from this domain.”

The problem?

• It doesn’t tell receivers what to do if checks fail
• It doesn’t enforce brand alignment by itself

DMARC – The Missing Brain

DMARC:

• Links SPF and DKIM together
• Enforces alignment with the visible sender
• Applies a policy when checks fail
• Sends reports so you can see what’s happening

Without DMARC, SPF and DKIM are polite suggestions.
With DMARC, they become rules.

Want to understand the technical differences in detail? Read our full breakdown: DMARC vs SPF vs DKIM: What They Do, How They Work, and Why You Need All Three.

The Real Pain of Not Having DMARC

We can’t pretend it’s only theoretical anymore.

If DMARC is missing or toothless, you’re exposed to:

1. Domain Spoofing

Attackers send emails from your domain without touching your systems.

To clients, it looks legitimate.
To you, it’s invisible… until money vanishes.

2. Invoice & Payment Fraud

The greatest hits:

• “Updated bank details”
• “Urgent payment”
• “I’m in a meeting, just do it”

One distracted click.
One expensive lesson.

3. Brand Damage You Didn’t Authorise

Even if nobody falls for it:

• Customers receive fake emails “from you”
• Trust erodes
• You look sloppy by association

Reputation doesn’t care about technical nuance. It takes ages to build and just one spoof attack to ruin. Forever.

4. Email Deliverability Problems

Here’s the irony:

Domains without DMARC often see:

• Legitimate emails in spam
• Marketing campaigns throttled
• Password resets delayed

Email providers trust domains that prove identity.

5. Compliance & Insurance Pressure

Increasingly:

• Cyber insurers ask about DMARC
• Regulators expect it
• Enterprise clients require it

“Planned for Q4” doesn’t count.

DMARC Policies Explained (This Is Where Most People Freeze)

DMARC gives you three enforcement options:

p=none – Monitoring Only

• Collects reports
• No blocking
• No protection

Useful as a temporary step.
Useless as a destination.

This is CCTV without a TV.

p=quarantine – Soft Enforcement

• Failing emails go to spam
• Reduces spoofing
• Lower risk during transition

A sensible middle ground.

p=reject – Full Enforcement

• Failing emails are blocked outright
• Spoofing stops dead
• Brand fully protected

This is the goal.
Anything less is unfinished work.

For a comprehensive guide on choosing and implementing the right policy for your business, see: DMARC policy types explained: none vs quarantine vs reject.

DMARC Requirements (What Morse Actually Does For You)

To implement DMARC properly, you need:

1. Clean SPF Records

• Only approved senders
• No bloated includes
• DNS lookup limits respected

2. DKIM Everywhere

Every system sending email as your domain must:

• DKIM-sign messages
• Use aligned domains

This includes:

• Microsoft 365 / Google Workspace
• CRMs
• Marketing platforms
• Ticketing systems
• Finance tools
• “That thing no one documented”

Platform-specific setup guides: DMARC for Microsoft 365, Google Workspace, and macOS.

3. A Proper DMARC Record

Published at:

_dmarc.yourdomain.co.uk

Including:

• Policy
• Reporting addresses
• Alignment rules
• Subdomain handling

4. Ongoing Monitoring

DMARC is not set-and-forget.

Your email ecosystem changes.
Your DMARC posture must keep up.

DMARC Reporting: The Bit Everyone Avoids (And Shouldn’t)

DMARC reports:

• Arrive daily
• Come as XML
• Look hostile

Inside them is gold:

• Who’s sending as you
• Who’s failing
• Who’s spoofing
• What’s misconfigured

Handled properly, DMARC reports:

• Improve security
• Improve deliverability
• Reveal shadow IT

Ignored, they’re just noise.

We’ve created a practical guide: How to read DMARC reports without losing the will to live.

Common DMARC Myths (Let’s Kill These)

“We’re too small to be targeted”
Attackers target weak domains, not famous ones.

“We already have SPF and DKIM”
That’s half a seatbelt.

“DMARC will break our email”
Only if you rush it or don’t understand your senders.

Learn how to avoid the most common pitfalls: Common DMARC mistakes that break legitimate email.

“This is just an IT issue”
Nope. It’s a revenue protection control.

Why DMARC Matters Even More in 2026

Email providers are done asking nicely.

Modern mail ecosystems:

• Penalise domains without DMARC
• Expect enforcement
• Trust authenticated senders more

Meanwhile, AI-generated phishing is:

• Contextual
• Well-written
• Timed perfectly
• Frighteningly convincing

Insurers are paying attention too: Email authentication and cyber insurance requirements.

Your domain is either:

• Verified and protected
• Or a costume attackers can wear

Want to Go Deeper? (Cluster Content Hub)

This pillar connects to deeper dives on:

• DMARC vs SPF vs DKIM – what each actually does
• DMARC policy types explained – how to move safely from p=none to p=reject
• Common DMARC mistakes that break legitimate email
• How to read DMARC reports – without losing the will to live
• DMARC for Microsoft 365, Google Workspace, and macOS
• Email authentication and cyber insurance requirements

Each of those has its own article.
Feel free to dive in.

The Morse Take

DMARC isn’t advanced security.
It’s baseline adult supervision for email.

If your business:

• Sends email
• Takes payments
• Values trust
• Wants fewer “how did this happen?” moments

Then DMARC isn’t optional.

At Morse, we treat DMARC like locking the door before debating alarm brands.

Dot and Dash would roast you for ignoring it —
but they’d much rather help you fix it properly.

Next Step: Check Your DMARC Posture

If you’re unsure whether your domain is:

• Missing DMARC
• Misconfigured
• Stuck in p=none
• Quietly being abused

That’s not a failure.
It’s just unfinished work.

Run a DMARC health check.
See who’s sending as you.
Fix it before someone else exploits it.

Dot. Dash. Done — properly.