What Is DMARC? Why Domain Protection Matters in 2026

PhishingCyber ResilienceCyber SecurityDMARC
Written By Jordan Stewart

Email remains one of the most trusted communication channels in business, and yet, conversely, it’s also one of the most abused.

Despite years of awareness campaigns, training sessions and layered security controls, phishing and impersonation attacks continue to land in countless inboxes every day. And while many organisations invest heavily in endpoint protection and awareness training, one foundational control is still frequently misconfigured or ignored: DMARC.

In 2026, that is harder to justify.

The Problem Isn’t Just Phishing. It’s Impersonation.

Most people think of email threats as malicious attachments or suspicious links. But a significant proportion of attacks do not require malware at all; they rely on impersonation.

Attackers register lookalike domains.
They spoof legitimate ones.
They send emails that appear to come from finance teams, senior leaders or trusted suppliers.

You’ll no doubt have seen what we mean, or maybe you’ve even encountered them for yourself - it could be something as simple as a domain landing in your inbox from ‘Micr0soft’, or maybe it’s a little more subtle, and is something like ‘rnicrosoft’, or ‘mıcrosoft’. 

The principle remains.

If your domain is not properly protected, someone else can send an email that appears to be from you, and that’s not a theoretical risk, or a worst case scenario. It happens daily.

And when it does, the damage is not limited to the recipient. It affects your brand, your credibility and your clients’ trust.

What DMARC Actually Does

DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

Under the surface, it works alongside SPF and DKIM to help receiving mail servers verify that email claiming to come from your domain is genuinely authorised. In simple terms, DMARC allows you to:

  • Define which servers are allowed to send email on your behalf.

  • Instruct receiving servers on what to do if authentication fails.

  • Receive reports showing who is attempting to send email using your domain.

Without DMARC enforcement, unauthorised messages can - and may - still reach inboxes. With it properly configured, spoofed emails can be rejected or quarantined before they even get the chance to do damage.

That visibility alone is valuable. Many organisations are surprised when they first see how frequently their domain is being abused.

Why So Many Domains Still Get This Wrong

Given how long DMARC has existed, you might expect universal adoption by now. But, as with a lot of security principles, that’s never the case.

In reality, many domains either:

  • Have no DMARC record at all.

  • Are set to “none”, which provides monitoring but no enforcement.

  • Have misaligned SPF or DKIM configurations.

  • Were configured once and never reviewed again.

Why?

Because DMARC can feel technical.
Because email environments are rarely simple.
Because organisations fear blocking legitimate mail.
Because it’s easier to postpone.

And yet, that very same postponement doesn’t reduce risk. It simply delays what could be the inevitable.

The Risk Landscape Has Changed

In 2026, impersonation tactics are more convincing than ever. And they’re only going to become even more convincing, to the point it’s genuinely concerning where it may end up.

Attackers already use publicly available information, social media signals and AI-generated language to craft believable messages. Remember those ChatGPT caricatures? They help hackers, too. And then, when those messages appear to originate from your actual domain, detection becomes harder for recipients.

All of which means it’s no longer enough to rely solely on user awareness training; domain-level controls matter. It’s too risky now to not be properly protected.

Now, DMARC isn’t a silver bullet, and you shouldn’t be under any illusions that this fixes everything and solves any issues before they arise. But it is a baseline control that reduces the likelihood that your domain will be weaponised against your own clients or staff.

DMARC Is Also About Trust

Conversely, there’s another dimension that often gets overlooked.

Email authentication is increasingly tied to deliverability and reputation - and that’s something that may not exactly be new news to wider departments like sales and marketing, either. In practice, that means that mail providers evaluate your domain’s trustworthiness based on its authentication posture. If you’ve got a poor configuration, it can affect not only security but also the likelihood that legitimate emails reach inboxes.

In other words, DMARC is not just about blocking attackers. It is about maintaining communication reliability.

If you take nothing else away from this section, remember that trust is fragile, yet your domain is part of that trust infrastructure.

Implementation Is Where It Gets Complicated

Turning on DMARC enforcement is not as simple as adding a singular DNS record and walking away. In most cases, organisations tend to have one (or all) of the following:

  • Multiple email platforms.

  • Third-party marketing tools.

  • CRM systems for sending automated messages (such as ticketing systems, helpdesks, etc).

  • Legacy applications that were configured years ago.

All of these need to align correctly with SPF and DKIM before enforcement can safely move from monitoring to quarantine or rejection, and it’s often why many organisations stall at the monitoring phase. 

They can see the problem, but then they can’t/won’t/don’t have time to solve it.

In our experience, the right approach is structured like this: Monitor first, to see who sends what, the types of communications and what looks normal vs abnormal. We can do this by analysing reports and identifying legitimate senders. Once that’s done, we align configurations accordingly and then gradually tighten policies until they’re suitable for your business.

Done properly, enforcement strengthens protection without disrupting operations.

Why This Matters for Managed Service Providers

For MSPs and IT partners, domain protection really shouldn’t be an afterthought.

Clients are under our protection 24/7/365, and they assume their domain is secure and that spoofed emails won’t reach their inboxes. But if they do, they assume someone is watching to deal with it.

But that’s not always the case. So it’s time that changed.

If DMARC monitoring provides visibility, enforcement provides control.

In 2026, offering email security without domain authentication oversight leaves a gap, and it’s not to be viewed as ‘oh great, more money spent. Let’s add another product...’, it’s actually about closing a foundational vulnerability.

Final Thought

Phishing evolves, and will continue to do so. With it, impersonation tactics improve, and the rise of AI-generated content will only become more convincing.

But don’t think that that’s cause for concern - controls remain simple in principle. If your domain can still be spoofed without consequence, that is a fixable problem.

DMARC has been available for years; it’s not new news, and it won't offer complete protection at all levels. But the organisations that treat it as a baseline rather than an optional extra are better positioned to protect their brand, their clients and their communications.

As part of our wider commitment to strengthening email security, we are now delighted to be offering domain protection powered by DMARC AI, in collaboration with Kevlarr.

Stay tuned for more about Kevlarr and their DMARC AI platform.

Jordan Stewart
Next

Hybrid Work in 2026: Are Your Systems Still Built for 2021?