Email is still the beating heart of how most small businesses talk to their customers, and that is exactly why criminals love it. If someone can send an email that looks like it came from your domain, they can fool your customers, damage your reputation and land you in a world of trouble you never saw coming. We say this to clients all the time: your email deserves the same care you give your front door, and DMARC is one of the sturdiest locks you can fit.
The acronym sounds intimidating, but the idea behind it is refreshingly simple. In this guide we will explain what DMARC actually is, how it protects your business, and how to get it working without needing to speak fluent server.
What is DMARC, in plain English
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Underneath that mouthful, it is simply a rule you publish for your domain that tells the world’s email providers what to do with messages that claim to be from you but cannot prove it.
Think of it like the security team at an exclusive event. Your guests arrive claiming to be on the list, and the team checks their name against two records before letting them in. If someone turns up pretending to be you, they are turned away at the door. DMARC is the instruction you give that security team about how strict to be and where to send the report afterwards.

How DMARC works alongside SPF and DKIM
DMARC does not work alone; it sits on top of two older checks called SPF and DKIM, and it only makes sense once you understand the trio. SPF confirms that an email was sent from a server you have authorised. DKIM adds a tamper-proof digital signature that proves the message was not altered in transit. DMARC then ties the two together and tells receiving servers what to do if an email fails those checks.
Crucially, DMARC also sends you reports. Those reports show you who is sending email using your domain, which is genuinely eye-opening the first time you see it. Many businesses discover services they had forgotten about, and occasionally something far more sinister.
Why your business email needs DMARC
The benefits go well beyond ticking a security box. Here is what DMARC really delivers:
- Stops spoofing: it makes it far harder for anyone to send convincing fake emails from your domain.
- Protects your reputation: customers who never receive a scam in your name keep trusting your brand.
- Improves deliverability: properly authenticated email is more likely to land in the inbox rather than the spam folder.
- Gives you visibility: the reports show exactly who is sending email as you, wanted or not.
- Meets modern requirements: major providers increasingly expect authentication, so getting it right keeps your email flowing.
How to set up DMARC step by step
Setting up DMARC is a matter of publishing a small record in your domain’s DNS settings, and doing it carefully rather than quickly. Here is the route we walk clients through:
- Sort SPF and DKIM first: DMARC relies on both, so make sure they are set up and passing before you go further.
- Start in monitor mode: publish a DMARC record with the policy set to none, which watches without blocking anything.
- Add a reporting address: point the reports to an inbox or a reporting tool so you can actually read them.
- Review the reports: spend a couple of weeks understanding who legitimately sends email on your behalf.
- Tighten gradually: move the policy to quarantine, sending suspicious mail to spam, once you are confident.
- Enforce fully: finally set the policy to reject, which blocks failing email outright.
- Keep monitoring: check the reports periodically, because your email setup changes over time.
The golden rule is patience. Rushing straight to reject can block your own legitimate email, so build up to it.
DMARC policies compared
DMARC gives you three levels of strictness, and knowing the difference saves a lot of grief:
- None: monitor only; nothing is blocked, but you receive reports. The safe starting point.
- Quarantine: email that fails is sent to the spam folder rather than the inbox. A sensible middle step.
- Reject: failing email is refused outright and never delivered. The strongest protection, best saved for last.
- Reporting: available at every level, giving you the data to make confident decisions.
Best practices for a healthy DMARC setup
A few habits keep your setup working smoothly. Always begin in monitor mode; it costs nothing and prevents nasty surprises. Actually read your reports rather than filing them away, because they are where the value lives. Keep a list of every service that legitimately sends email for you, from your newsletter tool to your booking system, so you can authenticate them all. And revisit your setup whenever you add a new tool that sends email on your behalf, otherwise its messages may quietly start failing.
Common mistakes we see business owners make
DMARC problems almost always trace back to a handful of avoidable errors:
- Jumping straight to reject: enforcing before you understand your mail flow blocks your own legitimate email.
- Ignoring the reports: publishing a record then never looking at the data it produces.
- Forgetting a sending service: a newsletter or invoicing tool that was never authenticated suddenly stops arriving.
- Skipping SPF or DKIM: DMARC cannot do its job if the two checks beneath it are not in place.
- Setting and forgetting: your email setup evolves, so a record left untouched for years drifts out of date.
Where email security is heading next
Email authentication is only becoming more important, not less. Major inbox providers now expect proper authentication from anyone sending in volume, and that expectation is trickling down to businesses of every size. Newer standards are also emerging that build on DMARC to display verified brand logos beside authenticated email, which turns good security into a visible trust signal in the inbox. For small businesses, the message is clear: getting your email authentication right today is an investment that keeps paying off as the rules tighten.
Frequently asked questions
Do I really need DMARC for a small business?
Yes, arguably more than a large one, because small businesses are frequently impersonated and rarely have the resources to clean up after an attack. DMARC is free to implement and protects both your customers and your reputation.
Will DMARC block my legitimate emails?
Not if you set it up carefully. Starting in monitor mode and reviewing the reports before enforcing means you can authenticate all your genuine senders first, so only fraudulent email gets blocked.
Is DMARC the same as SPF and DKIM?
No, it works with them. SPF and DKIM do the actual checking, while DMARC decides what happens to email that fails and reports back to you. All three together form a complete defence.
How long does DMARC take to set up?
Publishing the initial record takes minutes, but doing it properly means spending a couple of weeks in monitor mode first. Rushing is the one thing that causes problems, so treat it as a short project rather than a quick task.
Your quick DMARC checklist
- Foundations: confirm SPF and DKIM are set up and passing.
- Monitor: publish a DMARC record with policy none.
- Report: send the reports somewhere you will actually read them.
- Review: learn who legitimately sends email as you.
- Tighten: move to quarantine, then reject, when confident.
- Maintain: revisit whenever you add a new sending tool.
Let us lock down your business email
Understanding what DMARC is is the first step towards email your customers can trust and criminals cannot fake. It is a small, free change with an outsized payoff, but the setup rewards a careful hand. If DNS records and email policies make your eyes glaze over, that is exactly where we come in. At Delivered Social we help small businesses get the technical foundations right so their marketing lands and their brand stays protected. Get in touch with our team today and let us help you send email with confidence.


































