Protecting Your Organisation’s Email Reputation with DMARC

Even though we’ve been using email for over 30 years, there are still numerous risks for companies and organisations in terms of unauthorised use and reputational harm. This is primarily because it is easy for any bad actor to use anyone else’s domain name to send spam, phishing or other nefarious messages.

Fortunately, there is a solution that can protect your domain name from being used by bad actors, and this solution is called DMARC – Domain-based Message Authentication, Reporting and Conformance.

But what does DMARC actually do?

Imagine DMARC as the border check at an airport.

When someone wants to get onto a flight, the border guard checks their passport and ticket to confirm they are who they say they are and the details match. They might also do a further validation check on a watchlist database. If the ID or database information doesn’t match, the traveller is denied entry or detained.

DMARC works similarly for emails. When an email is sent, the recipient system will make several checks against the sender’s domain. If it passes the checks and the email is deemed to be from a valid sender, then the email is accepted. If it fails the checks, then the email is either quarantined or rejected.

Broadly, then, this service will protect email domains from being used by bad actors to send spam, phishing, scam, spoofed or other undesirable emails.

Importantly, any organisation operating under PCI-DSS standards must implement DMARC in full reject mode by March 2025.

So, can you just switch on DMARC? In theory, yes, you can. However, this is not recommended as legitimate email could be blocked, and other services must be configured to make it work properly.