Serving Shropshire ยท Herefordshire ยท Welsh Borders ยท Est. 2014Helpdesk open ยท avg 14 min response01584 517 234
Fresh Tech
01584 517 234Book a call โ†’
Cyber SecurityEmail Security

We Audited Local Firms' Email Security. Most Failed.

SJ
Sam James ยท Jun 15, 2026 ยท 5 min read
Email security audit of local businesses: SPF, DKIM and DMARC results

We quietly checked dozens of local businesses' email security. Most had no working DMARC, many no DKIM, some no SPF at all, leaving domains wide open to fraud.

TL;DR: We've been quietly checking the email security of local businesses across Shropshire, Herefordshire, Worcestershire and Powys. The results were worse than we expected. The majority had no working DMARC, many were missing DKIM, and some had no SPF at all. In plain terms: criminals could send email pretending to be them, and most had no idea.

Every business email domain relies on three behind-the-scenes settings (SPF, DKIM and DMARC) to prove its messages are genuine. Get them right and nobody can impersonate you. Leave them off and your domain is, technically, an open door. We explain all three in plain English in our guide to email authentication.

What we found

We ran the checks across dozens of local firms, the 5-to-50-person businesses we work with every day. It wasn't pretty:

  • The majority had no working DMARC: the setting that actually blocks impersonation.
  • Many were missing DKIM, the signature that proves a message hasn't been tampered with.
  • Some had no SPF at all: the most basic of the three.
  • Almost none had MTA-STS or DNSSEC, the next layer up.

The most common trap: a DMARC record set to 'monitor only' (p=none). It looks like the box is ticked, but it blocks nothing, and plenty of businesses assumed they were protected.

Why it matters more than it sounds

This isn't a technicality. Wide-open email security is the foundation of two expensive problems:

  • Invoice and CEO fraud. A criminal emails your finance team 'from' the boss or a supplier, asking to change bank details or rush a payment. Because the domain isn't protected, the email is genuinely indistinguishable from the real thing. This is business email compromise, and it costs UK businesses millions every year.
  • Your real email going to spam. The same missing records that let criminals in also tell Microsoft and Google your genuine email looks suspicious, so your quotes and invoices quietly land in junk folders.

Since 2024, Google and Yahoo have required these settings from anyone sending email in volume. The bar has moved, and a lot of businesses (and their IT providers) haven't kept up.

What good looks like

A properly secured domain has SPF listing every legitimate sender, DKIM signing switched on, and DMARC moved past 'monitor only' to actively reject fakes, ideally with MTA-STS and DNSSEC on top. None of it costs much to put right. It mostly takes someone who knows to look, and most businesses have simply never had anyone check. It's also a building block of Cyber Essentials.

Check your own domain (free)

If you're not sure where your business stands, we'll check it for you and send a plain-English report on exactly what's exposed and what it means. No jargon, no obligation, yours to keep.

Get your free email security check โ†’

Fifteen minutes of your time. It might save you a very bad day.

More reading
Related articles
Got an IT question?
Call us. We pick up.

20 minutes. No sales pitch. Just a straight answer to your IT question.

Book a 20-min call โ†’
Alex
Need help with your IT? Chat with me!