Is Your Email Filtering Hitting DMARC?
A quick Google search for 'cyber attack' will return a near countless list of results - and if you filter it by the 'News' tab of results, you'll likely see a brand or three that you recognise and possibly even use.
It's such a severe threat that the BBC has a dedicated 'cyber attacks' section now - perhaps in part due to how topical it is, with M&S and the Co-op recently falling victim. And, as it's so prevalent, we're taking a look at ways you can secure your organisation.
Summer 2025: The Summer of Cyber Threats?
It's no secret how big of an issue cyber security is. The days of it being an 'IT Department-only' conversation are long gone - it's front of mind for people across companies now. And that's in part because it winds up headline news on a near-weekly basis. The bad news? It's showing no signs of slowing down any time soon either, with attacks occurring at higher and higher frequencies. But why is that?
In short, we're living in a digital world, and many of us are working remotely, which means there are more entry points for malicious outsiders. It's no secret that employees are often the weakest link in a security posture, and cyber criminals know this all too well - which is why phishing attempts are on the up.
With approximately 300 billion emails sent worldwide each day, you may be surprised to hear that over 150 billion of those are spam emails sent daily - with 26% of those being phishing attempts and 2.5% malware.
Part of these eyewateringly high numbers can be attributed to the low effort and ease of running a phishing campaign, to the point where you can buy ready-to-run 'off-the-shelf' phishing as a service (PhaaS) campaigns on the Dark Web. The buyers then just deploy and let it run in what is a super low-effort attempt to breach organisations.
The worst part of this is that it tends to only cost a few pounds at a time, and often ends up being incredibly effective in terms of results.
Email Spoofing
That brings us nicely onto the elephant in the inbox, so to speak: email spoofing is one of the easiest ways for cybercriminals to impersonate your brand, trick your clients, and cause chaos in your business.
And it works. All too well.
If someone sent an email pretending to be your CEO, would your systems catch it? Would your clients know the difference?
You may take the usual steps of checking the email address of the person who sent it, realise it doesn't look anything like the 'ceo@yourcompany.co.uk' that they operate from, and rightly disregard it. But what if it was from a third-party source, such as your payroll provider, a supplier or even a vendor? And worse yet, what if the 'from' part of their email matched? Then you may be in trouble, right?
Wrong. Enter DMARC.
So, What Is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. In plain English? It's a protocol that helps your email domain say:
"These are the rules for who's allowed to send email as us - and if a message breaks those rules, here's what to do with it."
DMARC builds on two older email authentication methods - SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) - to verify that an email claiming to come from you actually did.
If the email fails those checks, DMARC tells the recipient's server to either:
Deliver it anyway (not ideal),
Quarantine it (safer),
Or reject it completely (best-case).
And it doesn't stop there - DMARC also sends back detailed reports, so you know exactly who is sending emails on your behalf and whether they're passing authentication or not.
How Does It Work?
Email Is Sent
A message is sent from your domain - by you or someone pretending to be you.
Checks Begin
The recipient’s mail server checks SPF & DKIM to verify the sender.
DMARC Policy Applies
If the email fails the checks, DMARC enforces your policy: allow, quarantine, or reject.
Reports Sent
You get visibility into who’s using your domain — and who’s trying to abuse it.
Why Does It Matter?
Spoofing isn't just a nuisance - it's a serious business risk.
In 2024, 84% of UK businesses and 83% of charities reported experiencing phishing attacks, making it the most common type of cyber breach. And the worst part? Most companies don't realise they've been spoofed until their clients complain - or the damage is done.
Without DMARC:
Your domain can be hijacked to send fake invoices or malicious links.
Clients might lose trust, thinking your business sent them malware.
You stay in the dark, with no visibility into who's using your name.
Real-World Example: When DMARC Could've Made the Difference
In 2022, attackers impersonated Ofgem - the UK’s energy regulator - in a widespread phishing campaign, sending thousands of fake emails to UK residents about supposed energy rebates. The messages mimicked Ofgem’s branding, tone of voice, and even included references to real schemes and employee names to make them look legitimate.
The challenge? At the time, spoofed emails like these could easily slip past basic filters if email authentication protocols like DMARC weren’t properly configured.
The result wasn’t just confusion — some recipients were tricked into sharing personal and financial details with fraudsters. While the exact financial impact on victims isn’t fully known, the broader reputational risk and loss of public trust was significant.
Had DMARC been fully implemented and set to a strict policy like “reject,” these fake emails would have been stopped at the server level — never delivered, never opened, never clicked.
A Few Stats Worth Noting:
of global phishing attacks involve domain spoofing (Verizon DBIR)
of UK businesses enforce DMARC at “reject” level (EmailAuth Index)
fewer phishing incidents reported with strong DMARC (Cisco 2024)
But Wait… Won't This Break Our Email?
Not if it's done right.
Rolling out DMARC isn't just flipping a switch. It's a phased process:
Start in "monitor" mode to collect data.
Fix any legitimate services that fail SPF/DKIM (think CRMs, marketing tools, payroll, etc).
Gradually move to quarantine or reject.
At Fifosys, we walk our clients through every step, making sure you stay secure without blocking the good stuff.
What's in It for You?
Aside from blocking spoofed emails cold? Here's what else DMARC does for your business:
Improves deliverability: Emails from you are more trusted by filters.
Protects your clients: They're less likely to be duped by fakes.
Builds brand credibility: You look more professional and secure.
Gives full visibility: Know exactly who is sending using your domain.
Final Word: Don't Wait Until It Hurts
Cybersecurity shouldn't be reactive. Spoofing attacks can happen to any business, regardless of size or industry - and once trust is broken, it's hard to win back.
DMARC gives you control. It protects your domain, your customers, and your reputation - and it's one of the most effective security measures you can implement this year.
Need help getting started?
We'll audit your current setup, walk you through the options, and manage the whole rollout for you. DMARC doesn'thave to be complicated - not when you've got the right partner.