One of the easiest ways to put yourself at risk of losing your data is to use email. No, seriously — the sheer number of businesses that face data breaches or get hacked because of an email phishing scam is staggering. So why do we still use email, then? Why not just use a more secure mode of communication that does the same job, only with better security?

It’s simple: email is incredibly convenient and everyone uses it. Pretty much every organization out there uses email either for communication or marketing. Email is integral to how business works. But the biggest flaw of email is something that’s unavoidable: it requires humans to interact with it. When people open emails, they read the contents, click on links, or even enter personal information. And because we don’t have the time or ability to carefully scrutinize every email, there’s a chance that one of them ends up being a phishing attack.

Attackers impersonate well-known, trusted brands to send emails to unsuspecting individuals. This is called domain spoofing. The recipients believe the messages to be genuine and click on malicious links or enter their login information, putting themselves at the attacker’s mercy. As long as these phishing emails continue entering people’s inboxes, email won’t be totally safe to use.

How Does DMARC Make Email Secure?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol designed to combat domain spoofing. It uses two existing security protocols—SPF and DKIM—to protect users from receiving fraudulent email. When an organization sends email through their domain, the receiving email server checks their DNS for a DMARC record. The server then validates the email against SPF and DKIM. If the email successfully authenticates, it gets delivered to the destination inbox.


 Look up and generate records for DMARC, SPF, DKIM and more with Power Toolbox for free!


Only authorized senders are validated through SPF and DKIM, which means if someone tried to spoof their domain, the email would fail DMARC authentication. If that happens, the DMARC policy set by the domain owner tells the receiving server how to handle the email.

What is a DMARC Policy?

When implementing DMARC, the domain owner can set their DMARC policy, which tells the receiving email server what to do with an email that fails DMARC. There are 3 policies:

  • p=none
  • p=quarantine
  • p = reject

If your DMARC policy is set to none, even emails that don’t pass DMARC get delivered to the inbox. This is almost like not having a DMARC implementation at all. Your policy should only be set to none when you’re just setting up DMARC and want to monitor the activity in your domain.

Setting your DMARC policy to quarantine sends the email to the spam folder, while reject outright blocks the email from the receiver’s inbox. You need to have your DMARC policy set to either p=quarantine or p=reject in order to have full enforcement. Without enforcing DMARC, users receiving your emails will still receive emails from unauthorized senders spoofing your domain.

But all of this raises an important question. Why doesn’t everyone just use SPF and DKIM to verify their emails? Why bother with DMARC at all? The answer to that is…

DMARC Reporting

If there’s one key shortcoming of SPF and DKIM, it’s that they don’t give you feedback on how emails are being processed. When an email from your domain fails SPF or DKIM, there’s really no way to tell, and no way to fix the issue. If someone’s trying to spoof your domain, you wouldn’t even know about it.


That’s what makes DMARC’s reporting feature such a game-changer. DMARC generates weekly Aggregate Reports to the owner’s specified email address. These reports contain detailed information about which emails failed authentication, which IP addresses they were sent from, and lots more useful, actionable data. Having all this information can help the domain owner see which emails are failing to authenticate and why, and even identify spoofing attempts.

So far, it’s pretty clear that DMARC benefits email recipients by protecting them from unauthorized phishing emails. But it’s the domain owners that are implementing it. What advantage do organizations get when they deploy DMARC?

DMARC For Brand Safety

Although DMARC wasn’t created with this purpose, there’s one major advantage organizations stand to gain by implementing it: brand protection. When an attacker impersonates a brand to send malicious emails, they’re effectively co-opting the brand’s popularity and goodwill to peddle a scam. In a survey conducted by the IBID Group, 83% of customers said that they’re concerned about purchasing from a company that was previously breached.

The intangible elements of a transaction can often be as powerful as any hard data. Consumers put a lot of trust in the organizations they buy from, and if these brands become the face of a phishing scam, they stand to lose not only the customers who got phished, but many others who heard about it in the news. Brand safety is fragile, and must be guarded for the sake of the business and the customer.


There’s more to brand safety than just DMARC. BIMI lets users see your logo next to their emails! Check it out:


DMARC enables brands to take back control of who gets to send emails through their domain. By shutting out unauthorized senders from exploiting them, organizations can ensure only safe, legitimate emails go out to the public. This not only boosts their domain’s reputation with email providers, but it also goes a long way in ensuring a relationship built on trust and reliability between the brand and consumers.

DMARC: Making Email Safe for Everyone

DMARC’s purpose has always been greater than helping brands safeguard their domains. When everyone adopts DMARC, it creates an entire email ecosystem inoculated against phishing attacks. It works exactly like a vaccine — the more people that enforce the standard, the smaller the chances of everyone else falling prey to fake emails. With each domain that gets DMARC-protected, email as a whole becomes that much safer.

By making email safe for ourselves, we can help everyone else use it more freely. And we think that’s a standard worth upholding.


According to the 2019 Cost of Data Breach Report, from Ponemon Institute and IBM Security, the global average cost of a data breach is $3.92 million!

This cyberattack business is a lucrative one. 

In fact, Business Email Compromise generates higher ROI than any other cyberattack. According to the 2019 Internet Crime Report, it reported losses of over $1.7 billion. 

Cybersecurity measures and protocols are crucial to business continuity now more than ever.

According to the Verizon 2019 Data Breach Investigations Report, 94% of malware was delivered by email.

Enter Domain-based Message Authentication, Reporting, and Conformance (DMARC). 

Yes, it’s quite a mouthful. But the time to protect your business email is now.

What is DMARC? DMARC is a relatively new technology.  It’s a technical validation policy that’s set to help protect email senders and receivers from all email spam.

dmarc illustration| DMARC,DKIM,SPF

DMARC is a solution that builds on both the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) solutions. This technology allows your organisation to publish a specific security policy around your email authentication processes and then instructs your mail server on how to enforce them.


DMARC has three main policy settings: 

  • Monitor policy – p=none. This policy means that no action will be taken in the light of failing the DMARC checks.
  • Quarantine policy – p=quarantine. This policy means that all emails that fail your DMARC check need to be treated as suspicious, this could see some emails landing up on your spam folder.
  • Reject policy – p=reject. This policy is set up to reject all emails that do not pass your DMARC checks.

The ways these policies are set up is entirely up to your organisation and how you want to handle unauthenticated emails.

According to the 2019 Global DMARC Adoption Report, only 20.3% of domains are publishing some level of DMARC policy of that only 6.1% have a reject policy in place.

Why DMARC is important for your business?

At this point, you’re wondering if you really need DMARC if you already have SPF and DKIM.

The short answer is yes.

But there’s more…

As of 2019, there were over 3.9 billion email accounts, and when you consider that 94% of malware attacks occurred through email, it absolutely makes business sense to do your very best to protect your email.

While the corporate uptake of DMARC has been slow, it’s essential to note that digital giants such as Facebook and PayPal have adopted DMARC technology.

  • Reporting. The reporting offered with DMARC allows your organisation greater insights into your email channels. They will help your organisation monitor what emails are being sent and received by your organisation. DMARC reports will give you insights into how your domain is being used and can play a role in developing more robust email communications.
  • Enhanced control. DMARC allows you full control over what emails are being sent from your domain. If email abuse is taking place, you will immediately see it in the report allowing you to correct any authentication issues.

Key Takeaways

We’re living in an era where cyberattacks are every businesses reality.

By not securing your email effectively you are opening your business up to all kinds of vulnerabilities.

Don’t let yours be next.



Take a look at how PowerDMARC can help you secure your business email today.

Simply click the button below to speak to an email security expert today