Business email compromise costs UK businesses hundreds of millions of pounds each year. The mechanics are straightforward: an attacker either gains access to a legitimate business email account or spoofs one convincingly enough to redirect payments, request sensitive data or impersonate senior staff. Three DNS records — SPF, DKIM and DMARC — close the most common vectors for this type of attack, and configuring them typically takes under an hour.
Before making any DNS changes, run your domain through our free email security checker to see your current configuration and identify exactly what needs fixing.
SPF: Sender Policy Framework
SPF is a DNS record that lists every server authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving server checks your SPF record. If the sending server is not on the list, the email is flagged as suspicious.
What it prevents: criminals sending emails that appear to come from your domain to your clients, suppliers or staff — a common first step in invoice fraud and impersonation attacks.
DKIM: DomainKeys Identified Mail
DKIM adds a cryptographic signature to every outgoing email. The receiving server uses a public key published in your DNS to verify that the email genuinely came from your domain and has not been altered in transit.
What it prevents: tampering with email content after sending, and impersonation by parties who do not control your private signing key. DKIM works alongside SPF rather than replacing it — both should be configured.
DMARC: Domain-based Message Authentication, Reporting and Conformance
DMARC sits on top of SPF and DKIM and tells receiving servers what to do when an email fails authentication: deliver it, quarantine it or reject it outright. It also sends you regular reports showing who is attempting to send email using your domain — giving you visibility of impersonation attempts you would otherwise never see.
A DMARC policy of p=reject means emails failing SPF
and DKIM checks are blocked before they reach the recipient's inbox.
It is sensible to start with p=none to monitor traffic
before enforcing a stricter policy.
How to Set Them Up
All three records are added through your DNS management interface — typically at your domain registrar or DNS provider such as Cloudflare, GoDaddy or Namecheap. First, identify your email provider, as the specific record values differ between Google Workspace, Microsoft 365 and others.
SPF record: Create a new TXT record with host set
to @. For Google Workspace:
v=spf1 include:_spf.google.com ~all. For Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all. If you
use multiple email services, all must be included in a single SPF
record.
DMARC record: Create a new TXT record with host
set to _dmarc. A safe starting value:
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com.
Review the reports for a few weeks before moving to
p=quarantine or p=reject.
DKIM record: The method varies by provider. Google
Workspace uses a TXT record with host google._domainkey
and a value beginning v=DKIM1; k=rsa; p=.... Microsoft
365 typically uses CNAME records. Your email provider's documentation
gives the exact values to use.
Allow a few hours for DNS propagation, then recheck using our email security checker to confirm all three records are correctly configured.
If you use third-party mailing tools such as Mailchimp or SendGrid, those services also need authorising in your SPF record and should have their own DKIM configuration. Back up your existing DNS records before making any changes.
What Else Email Security Requires
SPF, DKIM and DMARC address domain authentication. They are a necessary foundation, but complete email security for an SME also requires filtering for malicious attachments and links, protection against business email compromise where an attacker has access to a legitimate account rather than just spoofing one, and staff awareness training so that employees recognise suspicious messages that do get through.
For a more complete view of your email security posture, see our email security service or book a free consultation.