{"id":26950,"date":"2026-03-11T07:00:43","date_gmt":"2026-03-11T06:00:43","guid":{"rendered":"https:\/\/smecyberinsights.co.uk\/?p=26950"},"modified":"2026-03-31T12:41:36","modified_gmt":"2026-03-31T10:41:36","slug":"dmarc-for-smes","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2026\/03\/11\/dmarc-for-smes\/","title":{"rendered":"DMARC for UK SMEs; the email control that blocks brand spoofing, and why it’s still not enforced"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"Partners1_NordVPN\"<\/figure><\/div>
\"Partners3_R3\"<\/figure><\/div>
\"Partners2_Zoho\"<\/figure><\/div>
\"Partners4_Plesk\"<\/figure><\/div>
\"Partners7_Passware\"<\/figure><\/div>
\"Red_Button_Slider\"<\/figure><\/div>
\"ogo2\"<\/figure><\/div>
\"Detection.<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"DMARC\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit: Freepik<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Gibraltar:\u00a0 Wednesday, 11 March 2026 \u2013 07:00 CET<\/p>\n

DMARC for UK SMEs; the email control that blocks brand spoofing, and why most domains still do not enforce it
\n<\/strong>By: Iain Fraser<\/a>\u00a0\u2013\u00a0Cybersecurity Journalist
\n<\/a>Published in Collaboration with SECURUS Communications<\/a>
\nGoogle Indexed on: 110326 at 09:25 CET<\/a>
\nSMECyberInsights.co.uk<\/a> | First for SME Cybersecurity News
\n<\/a>#SMECyberInsights #SMECybersecurity #SMECyberInsights #SME #CyberSafe #CyberSecurity #Cybersecurity #Phishing #DMARC<\/em><\/p>\n

\ufeff<\/span>\ufeff<\/span><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

DMARC for UK SMEs; the email control that blocks brand spoofing, and why most domains still do not enforce it<\/strong><\/p>\n

If you run a UK SME, phishing is not an abstract risk. It is the daily reality behind invoice fraud, payroll diversion, and \u201curgent\u201d supplier bank change requests. Attackers do not need to hack your network to cause damage. They only need to send an email that looks like it came from your domain, or from someone you trust.<\/p>\n

That is why email authentication is showing up more often in sme cybersecurity news and advisory conversations. Analysts often describe DMARC<\/strong> as a foundational phishing defence, and some industry benchmarking suggests fewer than 10 percent of domains meaningfully enforce DMARC at a blocking level. Whether the exact figure is 8 percent or 18 percent, the practical point for UK small businesses is the same. Most organisations still allow their brand to be spoofed. That creates avoidable risk for customers, staff, and suppliers.<\/p>\n

DMARC in plain English; what it does, and what it does not<\/strong><\/p>\n

DMARC (Domain-based Message Authentication, Reporting and Conformance)<\/strong> is a DNS based policy that tells other mail systems what to do when emails claiming to be from your domain fail authentication checks. It also provides reporting so you can see who is sending mail \u201cas you\u201d.<\/p>\n

DMARC works with two supporting controls:<\/p>\n

* SPF (Sender Policy Framework)<\/strong>; a DNS record listing which mail servers are allowed to send email for your domain.<\/p>\n

* DKIM (DomainKeys Identified Mail)<\/strong>; a cryptographic signature added to outgoing mail so recipients can verify the message has not been altered and is authorised by your domain.<\/p>\n

What DMARC helps with:<\/p>\n

* Stops direct domain spoofing<\/strong>; criminals cannot easily send \u201cfrom yourdomain.co.uk\u201d using random infrastructure if you enforce DMARC.<\/p>\n

* Improves trust<\/strong>; it reduces customer and supplier exposure to impersonation.<\/p>\n

What DMARC does not solve:<\/p>\n

* If a real mailbox is compromised, the attacker can send authenticated email. As a result, DMARC must sit alongside MFA and access control.<\/p>\n

NCSC guidance on email security and anti-spoofing covers DMARC, SPF and DKIM as practical steps to reduce impersonation risk. (Reference: NCSC Email security and anti-spoofing collection.)<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"DMARC\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Actionable guidance; a staged DMARC rollout that will not break your email<\/strong><\/p>\n

Most SMEs fail with DMARC for one reason. They jump to \u201creject\u201d before they know which systems legitimately send email.<\/p>\n

Step 1; inventory every sender<\/strong><\/p>\n

List every platform that sends email using your domain:<\/p>\n

* Microsoft 365 or Google Workspace
\n* Marketing tools and newsletters
\n* CRM, ticketing, booking, invoicing, payroll
\n* Website contact forms and web servers<\/p>\n

Step 2; fix SPF and enable DKIM<\/strong><\/p>\n

* Ensure you have one SPF record; keep it tidy.
\n* Enable DKIM signing for your main email platform and key third parties.<\/p>\n

Step 3; publish DMARC in monitor mode<\/strong><\/p>\n

Start with p=none<\/strong> and set reporting addresses. Review reports weekly with your MSP or vCISO.<\/p>\n

Step 4; move to quarantine, then reject<\/strong><\/p>\n

* Move to p=quarantine<\/strong> first.
\n* Then move to p=reject<\/strong>\u00a0once reports show only legitimate sources are aligned.<\/p>\n

Step 5; operationalise it<\/strong><\/p>\n

Add a simple rule. Any new supplier system that \u201csends email as us\u201d must be added to the sender inventory and aligned before go live.<\/p>\n

Compliance and best practice fit; Cyber Essentials, UK GDPR, and NIST<\/strong><\/p>\n

DMARC supports SME cyber security best practices<\/strong> by reducing spoofing, but it should be paired with controls that Cyber Essentials focuses on, such as access control, secure configuration, and patching. DMARC plus MFA (multi-factor authentication)<\/strong> on email admin accounts is a strong baseline for SME cyber resilience.<\/p>\n

From a compliance for SMEs perspective, the ICO expects organisations to implement appropriate technical and organisational measures to protect personal data. Reducing impersonation and fraud risk through email authentication is a defensible, proportionate measure, especially where email is used for customer communications. (Reference: ICO Guide to data security.)<\/p>\n

If you use NIST Cybersecurity Framework language with boards, DMARC is a clean \u201cProtect\u201d control, with reporting that supports \u201cDetect\u201d.<\/p>\n

Quick checklist; what to ask your MSP this week<\/strong><\/p>\n

* Do we have SPF, DKIM, and DMARC published for all domains we use?
\n* Are we at p=none<\/strong>,\u00a0quarantine<\/strong>, or\u00a0reject<\/strong>; and what is the plan to progress?
\n* Who reviews DMARC reports; and how often?
\n* Is MFA enforced for email admins and high-risk users?
\n* Do we have a process for supplier and marketing platforms that send mail as our domain?<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

SECURUS Communications Ltd<\/strong><\/p>\n

Securus<\/a> <\/strong>is a managed communications Operator, providing next-generation network infrastructure and value added services to Managed Hosting providers and the ‘cloud generation’\u200b of enterprises. Securus<\/a> <\/strong>priority is to offer communication services that represent excellent value for money and are backed by exceptional levels of support.<\/p>\n

Contact Securus<\/strong>
\nSecurus Communications Ltd
\nStation Road, Landmark house, Hook, England RG27 9HA, GB
\nT: Enquiries:\u00a003451 283457<\/span><\/a>\u00a0| Service Desk: 03451 283458<\/a>
\nSecurus on LinkedIn<\/a> | Securus on “X”<\/a> | https:\/\/securuscomms.com<\/a><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t

\n\t\t\t\t\t<\/span>\n\t\t\t\t\tLatest Posts from SECURUS Communications<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t<\/h2>\n\t\t\t<\/div>
\n\n
\n
\n\n
\n \n \n \"AI-Powered <\/a>\n\n \n