Email is still the entry point for more than 90% of targeted attacks against UK enterprises. DMARC is the single most effective control to stop attackers from impersonating your domain — yet most organisations either skip it, leave it on p = none, or break their own mail flow trying to reach enforcement. This guide explains how to deploy DMARC properly, the way Orbis Cloud rolls it out for finance, fintech, professional services and pharma clients across London and the wider UK.
DMARC
SPF · DKIM · Authenticated Email
Why DMARC Matters for UK Businesses Right Now
Phishing and Business Email Compromise (BEC) cost UK organisations hundreds of millions of pounds every year — the NCSC’s Active Cyber Defence and Action Fraud both name BEC as the highest-loss cyber threat to British businesses. The most common attack pattern is brutally simple: the attacker sends an email from your CFO’s address (or your CEO’s, or your bank’s) to your finance team, your suppliers, or your customers. Without DMARC, mailbox providers — Gmail, Microsoft 365, Yahoo, BT — have no reliable way to know that message is fake. They deliver it. Money moves.
DMARC (Domain-based Message Authentication, Reporting & Conformance) closes that gap. It tells receiving mail servers: “Only accept mail from my domain if it passes SPF or DKIM, and the visible From: address aligns with the authenticated identity. Otherwise, reject it and tell me.” Done correctly, DMARC eliminates direct domain spoofing entirely.
The pressure to deploy it has also become regulatory and commercial:
- Google & Yahoo bulk-sender requirements (in force since 2024) mandate DMARC for any domain sending more than 5,000 messages per day to their users. No DMARC = your marketing and transactional mail bounces.
- NCSC Mail Check guidance, the UK Cyber Essentials Plus scheme and ISO 27001 control A.13.2.3 all expect authenticated email for organisations handling regulated data — and Mail Check is mandatory for every UK public-sector domain.
- Cyber-insurance underwriters in the UK and EU now check DMARC enforcement before issuing or renewing BEC coverage.
How DMARC Actually Works (in 90 Seconds)
DMARC is a small DNS TXT record that sits on top of two existing standards:
- SPF (Sender Policy Framework) — a DNS record listing which IP addresses are allowed to send mail using your domain. The receiver checks the connecting server’s IP against your SPF list.
- DKIM (DomainKeys Identified Mail) — a cryptographic signature your sending server adds to outgoing mail. The receiver fetches your public key from DNS and verifies the signature.
Either of these passing is necessary but not sufficient. DMARC adds two crucial concepts:
- Identifier alignment — the domain in the visible
From:header must match the SPF or DKIM authenticated domain. This is what stops attackers from passing SPF using their own domain while spoofing yours in the From line. - Policy & reporting — you tell receivers what to do with failures (
none,quarantine,reject) and where to send forensic and aggregate reports.
The DMARC Record, Anatomised
_dmarc.yourcompany.co.uk IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.co.uk;
ruf=mailto:forensics@yourcompany.co.uk;
fo=1; adkim=s; aspf=s; pct=100" | Tag | Meaning | Recommended value |
|---|---|---|
p |
Policy on failure | reject (final state) |
rua |
Where aggregate XML reports go | A monitored mailbox or DMARC analytics platform |
ruf |
Forensic reports (rare, privacy-sensitive) | Optional |
adkim / aspf |
Alignment mode | s (strict) once stable |
pct |
% of mail policy applies to | 100 after ramp-up |
sp |
Policy for subdomains | reject |
The Single Biggest Mistake: Stopping at p=none
More than 70% of UK domains we audit publish a DMARC record — and 90% of those records are stuck on p=none. That is monitoring mode. It does nothing to protect you. Attackers can still spoof your domain freely; the only thing p=none does is generate reports.
Reaching p=reject is the entire point. Anything less leaves the front door open.
Reality Check
If your domain is on p=none today, treat it as unauthenticated. The phishers will. We routinely show CISOs forensic samples where their own domain was used, in volume, against their own customers — while their DMARC record technically existed.
The Orbis Cloud DMARC Deployment Methodology
We have rolled out DMARC enforcement for finance, fintech, professional services, pharmaceutical and aerospace clients across London and the wider UK. The same six-phase methodology applies whether you have 50 mailboxes or 50,000.
Phase 1 — Sender Discovery (Week 1)
You cannot enforce DMARC until you know everyone sending mail as your domain. We deploy aggregate-report (RUA) collection — typically via EasyDMARC or a comparable analytics platform — and watch traffic for 7–14 days. This surfaces the legitimate senders you forgot about: payroll providers, HR systems, ticketing platforms, marketing tools, ERP notifications, the 11-year-old monitoring server in a back-office cupboard.
Phase 2 — SPF Hardening
Most enterprise SPF records are broken in one of two ways: they exceed the 10-DNS-lookup limit (causing permerror), or they end in +all / ?all instead of -all. We rewrite the SPF flat, using SPF macros or flattening services where appropriate, and end with -all (hard fail).
yourcompany.co.uk IN TXT “v=spf1 include:spf.protection.outlook.com
include:_spf.google.com
include:mailgun.org
-all”
Phase 3 — DKIM on Every Sender
SPF breaks under forwarding (mailing lists, distribution rules, vacation auto-forwarders). DKIM survives it because the cryptographic signature travels with the message. We enable DKIM signing on every legitimate sending source — Microsoft 365, Google Workspace, Mailgun, SendGrid, Mailchimp, HubSpot, Salesforce — and verify each one shows up signed and aligned in DMARC reports.
Phase 4 — Move to p=quarantine with pct Ramp
This is the gradual enforcement stage. We set:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourcompany.co.uk
Then ramp pct through 25 → 50 → 100 over two to four weeks, monitoring reports daily. Any legitimate sender that starts failing surfaces immediately and is fixed before the next step.
Phase 5 — Move to p=reject
Once p=quarantine; pct=100 has been clean for two weeks, we flip to p=reject. This is the destination. Spoofed mail is now refused outright by every major provider — Microsoft, Google, Yahoo, Apple, BT, Sky, Virgin Media and the rest.
Phase 6 — Tighten Alignment & Add BIMI
Switch adkim and aspf to s (strict) so subdomain spoofing is also blocked. Then publish a BIMI record — your verified logo appears next to authenticated mail in Gmail, Apple Mail and Yahoo. It is the visible payoff of DMARC enforcement and a measurable trust signal for your customers.
What Goes Wrong Without a Methodical Rollout
- Invoices stop reaching customers. The accounts team’s SAP server was sending unauthenticated; you flipped to
p=reject; payments are now 30 days late. - Marketing campaigns silently disappear. Your ESP’s DKIM was never aligned; the messages now go straight to spam at Gmail.
- Subdomain spoofing goes unnoticed. You enforced on the apex but left subdomains on the inherited
p=nonedefault. - Forwarders break legitimate mail. Without DKIM coverage, internal mailing lists strip SPF authority and trigger DMARC failures on your own people’s mail.
Every one of these is preventable with proper sender discovery and a phased rollout. Every one of them is also why CIOs hire Orbis Cloud instead of attempting it in-house with a single change window.
DMARC and the Wider Email Threat Stack
DMARC is necessary but not the whole story. It stops direct domain spoofing — attackers can no longer send mail that literally claims to be from your domain. It does not stop:
- Look-alike domains —
yourcompany.comvsyourcompαny.comwith a Greek alpha. Mitigated by display-name filtering, look-alike monitoring, and security awareness training. - Compromised legitimate accounts — phishing from a real but hijacked mailbox. Mitigated by MFA, conditional access, and Microsoft Defender / equivalent.
- Malicious attachments & URLs — Mitigated by Email Threat Protection (sandboxing, URL rewriting, attachment detonation).
That is why our Email Threat Protection service treats DMARC as the foundation, layered with advanced threat protection, security awareness training and ongoing monitoring.
Compliance Mapping: ISO 27001, NCSC & Insurance
| Requirement | How DMARC enforcement satisfies it |
|---|---|
ISO 27001 A.13.2.3 — Electronic messaging |
Authenticated, integrity-protected mail with audit trails (DMARC reports). |
NCSC Mail Check & UK Cyber Essentials Plus |
Anti-phishing & brand-protection control evidence aligned with public-sector guidance. |
UK GDPR / DPA 2018 — Article 32 security of processing |
Demonstrable technical control against impersonation-led data breaches. |
Cyber-insurance BEC clauses / aspf |
Demonstrable p=reject on apex and subdomains. |
Google / Yahoo bulk-sender (2024+) |
DMARC required to deliver above-threshold volumes. |
The Orbis Cloud Difference
We do not just publish a DMARC record and walk away. As your London-based managed email security partner, Orbis Cloud:
- Runs the full sender-discovery and SPF/DKIM remediation engagement.
- Hosts and monitors DMARC aggregate reports continuously, with alerting on new sources.
- Drives policy from
p=nonethroughp=rejectwith measurable, auditable milestones. - Integrates DMARC enforcement with Microsoft 365 / Defender, Google Workspace, EasyDMARC, and your existing SIEM.
- Adds BIMI publication and DNS hygiene (MTA-STS, TLS-RPT, DNSSEC) for a complete, modern email perimeter.
Our clients reach p=reject typically within 8 to 12 weeks, with zero observed mail-flow disruption — because every legitimate sender is identified, authenticated and aligned before enforcement.
Free First Step: Run a Domain Scan
Before you commission any project, you should know exactly where your domain stands today. Our free scanner inspects SPF, DKIM, DMARC, MTA-STS, BIMI and TLS for your domain and gives you a security score in under 30 seconds.
Ready to stop attackers from spoofing your domain?
Scan your domain for free, or talk to an Orbis Cloud email-security specialist about a full DMARC enforcement programme.
