Email remains one of the most powerful tools for business communication—but it’s also one of the most exploited. Cybercriminals frequently impersonate trusted brands to launch phishing attacks, steal data, and damage reputations. That’s why DMARC—Domain-based Message Authentication, Reporting and Conformance—has become a critical line of defence.

And now, with Google and Yahoo enforcing mandatory DMARC compliance as well as amendments to UK PCI DSS - it is a requirement for most businesses.

What is DMARC?

DMARC is an email authentication protocol that helps protect your domain from unauthorised use, such as spoofing or phishing. It builds on two existing technologies—SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)—to verify that an email claiming to come from your domain is actually authorised by you.

In simple terms, DMARC tells receiving mail servers:

• Whether an email is legitimate
• What to do if it isn’t (e.g. quarantine or reject it)
• How to report back to the sender about suspicious activity

Why DMARC matters more than ever

For midmarket businesses, the risks of email-based attacks are significant. A single spoofed email can lead to:

• Data breaches
• Financial fraud
• Loss of customer trust
• Damage to brand reputation

Implementing DMARC helps prevent these threats by ensuring only authorised senders can use your domain. It also improves email deliverability, meaning your legitimate messages are more likely to reach inboxes rather than spam folders.

New regulations make DMARC critical

As of February 2024, Google and Yahoo began enforcing stricter email authentication standards for bulk senders—defined as anyone sending 5,000 or more emails per day. These changes require:

• SPF and DKIM alignment
• A valid DMARC policy published in DNS
• Easy unsubscribe options for recipients 

By April 2024, non-compliant senders risk having their emails blocked or marked as spam, significantly impacting marketing, sales, and customer service communications.

This shift is part of a broader industry effort to reduce spam, phishing, and email fraud. For midmarket firms, it means that DMARC is no longer optional—it’s essential for maintaining email credibility and deliverability.

New regulations effective March 2025 mandate businesses handling card payments to enhance email security with DMARC to combat phishing. The PCI DSS v4.0 framework now includes DMARC as a requirement. Organisations that handle payment card data must implement DMARC as part of their compliance obligations. 

This means that for any business processing card payments or sending bulk email, DMARC is now mandatory—not just for security, but for regulatory compliance.

What DMARC protects you from

Implementing DMARC helps safeguard your business from:

• Email spoofing: Prevents attackers from sending emails that appear to come from your domain.
• Phishing attacks: Reduces the likelihood of customers or employees falling for fraudulent emails.
• Brand impersonation: Protects your reputation by ensuring only authorised messages are sent under your name.
• Deliverability issues: Ensures your emails reach inboxes, not spam folders.

How to get started with DMARC

1. Assess your current email setup: Check if SPF and DKIM are properly configured.
2. Publish a DMARC record: Start with a “monitor” policy (p=none) to gather data.
3. Review reports: Use DMARC reports to identify unauthorised senders.
4. Enforce your policy: Gradually move to p=quarantine or p=reject to block malicious emails.
5. Stay compliant: Regularly review your configuration, especially if you use third-party email services.
6. Reach out to your MSP: Your MSP will have a solution for DMARC and will be able to implement it for you.