How do I know if my business has these set up?

Most owners have no idea - it's invisible until something goes wrong. Run our free email security check and it'll show you exactly what's missing in about 20 seconds.

We already have a DMARC record - are we protected?

Not necessarily. The most common setup is 'p=none', which only sends reports and does nothing to block spoofed mail. We see this constantly. Protection only kicks in once the policy is moved to quarantine or reject, which has to be done carefully.

Will turning this on stop our real emails from sending?

It can if it's rushed - that's exactly why we roll DMARC out in stages and watch the reports first. Done properly, your genuine email keeps flowing and only impersonators get blocked.

Does this stop all spam and phishing?

It stops criminals spoofing your domain, which is a huge win. It doesn't stop a scammer using a lookalike domain or a different address, so we pair it with email filtering, MFA and staff awareness for full coverage.

Is it really that common to be missing this?

Yes. In our local audits, a large share of businesses had no DMARC, and some had no SPF or DKIM at all - often without their current IT provider ever flagging it. It's basic hygiene that's frequently overlooked.

Technology Explained

Email Authentication: SPF, DKIM & DMARC

Here's an uncomfortable fact: unless your domain is set up correctly, anyone in the world can send an email that looks exactly like it came from your business. Same name, same address, no hacking required. SPF, DKIM and DMARC are the three settings that slam that door shut.

Talk to an Expert Call 01584 517 234

What is it?

These are three records that live in your domain's DNS - the public address book for your website and email. Together they prove to the rest of the world that an email genuinely came from you.

SPF (Sender Policy Framework): A list of the mail servers allowed to send email for your domain. If a message comes from anywhere else, it fails the check. Think of it as a guest list on the door.

DKIM (DomainKeys Identified Mail): An invisible, tamper-proof signature added to every email you send. The receiving server checks the signature against a key in your DNS, proving the message is really yours and wasn't altered in transit. Think of it as a wax seal on a letter.

DMARC (Domain-based Message Authentication): The instruction that ties it all together. It tells other email systems what to do when a message fails SPF and DKIM - ignore it, send it to spam, or reject it outright - and it emails you reports on who is sending mail in your name. Think of it as the policy the bouncer actually enforces.

With all three in place and set to enforce, a criminal can no longer send convincing email pretending to be your company. Without them, your domain is effectively unlocked.

Business Benefits

Stops Domain Impersonation

Criminals can't send email that appears to come from your business - the foundation of invoice fraud and CEO scams.

Keeps Email Out of Spam

Properly authenticated mail is trusted by Microsoft, Google and Yahoo, so your genuine emails reach the inbox, not the junk folder.

Protects Your Reputation

Stops scammers using your good name to defraud your customers, suppliers and staff.

Meets Modern Requirements

Since 2024 Google and Yahoo require SPF, DKIM and DMARC from anyone sending email in volume - and it underpins good Cyber Essentials hygiene.

Risks Without It

Anyone Can Spoof You

With no DMARC enforcement, a fraudster can email your finance team 'from' the MD requesting an urgent payment - and it looks completely real.

Invoice & Payment Fraud

Business email compromise relies on spoofed or lookalike domains. Unprotected domains are the easiest target of all.

Your Emails Land in Spam

Missing or broken records tell receiving servers your mail is suspicious, quietly sending quotes and invoices to the junk folder.

A False Sense of Security

Many businesses have a DMARC record stuck on 'p=none' - it reports but blocks nothing. It looks done, but spoofing still gets through.

How Fresh Tech Implements This

We start with a free check of your domain's DNS to see exactly what's in place and what's exposed. Most businesses we look at are missing at least one of the three, and many that have DMARC have it set to monitor-only, which stops nothing.

From there we configure SPF to list every legitimate sender (Microsoft 365, your CRM, your accounts software), switch on DKIM signing, then roll out DMARC carefully - starting in monitoring mode so we don't break your real email, reading the reports, then tightening the policy to quarantine and finally reject. The result is a domain that can't be impersonated and email that reliably reaches the inbox.

This is part of our Cyber Security service and a building block of Cyber Essentials certification. It works hand in hand with phishing defences and multi-factor authentication - and it's your strongest protection against business email compromise.