Why Email Authentication Matters
Why Email Authentication Matters
The problem with email
Email was invented in the 1970s. The original protocol — SMTP — has no built-in way to verify that an email actually came from who it claims to be from. Anyone with access to an SMTP server can send an email that says it's from [email protected]. The protocol has no way to check.
For decades, this wasn't a major problem. Today, it's one of the biggest security vulnerabilities in business.
What attackers do with unauthenticated email
Brand impersonation
Attackers send emails that appear to come from your domain to your customers, suppliers, or partners. They might:
- Trick customers into paying fake invoices
- Steal login credentials through fake password reset emails
- Spread malware through "official" communications
- Damage your brand reputation when recipients realise they were defrauded
The victim receives an email from [email protected] that looks completely legitimate — because the From: field is unverified.
Business Email Compromise (BEC)
BEC attacks impersonate executives to trick employees into taking actions — usually transferring money or sharing sensitive data. In 2023, BEC caused over $2.9 billion in reported losses in the US alone (FBI IC3). The average loss per incident is over $125,000.
The attacker doesn't need to compromise your email system. They just need to spoof your domain.
Phishing campaigns at scale
Attackers use your domain's reputation to send phishing campaigns. Your domain — which has built trust over years — is used to deliver malicious emails to millions of recipients. This also damages your domain's deliverability reputation.
Why SPF and DKIM alone aren't enough
SPF was designed in 2003. It checks whether the sending server is authorised — but it only checks the envelope From (the technical Return-Path header), not the From: header that users see in their inbox. An attacker can pass SPF on the envelope while spoofing the visible From: address.
DKIM adds a cryptographic signature — but it proves the message wasn't altered, not necessarily that it came from who the From: header claims.
Both are necessary. Neither is sufficient without DMARC to enforce alignment between the authenticated identifiers and the visible From: header.
What DMARC adds
DMARC (Domain-based Message Authentication, Reporting, and Conformance) does three things:
- Policy — tells receiving servers what to do when authentication fails (
p=none,p=quarantine,p=reject) - Alignment — requires that the authenticated domain (from SPF or DKIM) matches the visible
From:header domain — closing the spoofing loophole - Reporting — sends you data about who is sending email from your domain and how it's performing
Without DMARC:
- SPF and DKIM can pass, but spoofed emails still get delivered because there's no alignment enforcement
- You have no visibility into who is sending email claiming to be from your domain
With DMARC at p=reject:
- Any email that doesn't pass SPF or DKIM with proper alignment is rejected before reaching the inbox
- You receive daily reports showing all sending sources and their authentication status
The business case
Protect your customers and partners
Every day your domain operates without DMARC enforcement, attackers can impersonate you. Your customers trust your domain. That trust is yours to protect.
Protect your organisation from BEC
Finance teams, executive assistants, and HR are prime BEC targets. DMARC on your domain doesn't stop attackers from registering lookalike domains, but it does stop them from sending email that appears to be from your exact domain.
Improve email deliverability
Major providers (Google, Microsoft, Yahoo) give preferential treatment to authenticated senders. Since February 2024, Google and Yahoo require DMARC for bulk senders. Domains at p=reject see higher inbox placement rates than unenforced domains.
Comply with security frameworks
DMARC is now referenced or required by:
- NIST SP 800-177 (email authentication recommendations)
- UK NCSC (recommended for all government and public sector domains)
- PCI DSS v4.0 (requirement 5.3.3 for phishing-capable domains)
- Many cyber insurance underwriters now ask about DMARC as part of risk assessment
Unlock BIMI
BIMI (Brand Indicators for Message Identification) displays your verified logo in supporting email clients — increasing brand visibility and open rates. It requires DMARC at enforcement (p=reject). DMARC is the prerequisite.
How long does it take?
A typical organisation can reach full DMARC enforcement in 6–12 weeks:
| Week | Activity |
|---|---|
| 1–2 | Deploy p=none, start collecting reports |
| 3–6 | Identify and fix failing sending sources |
| 7–8 | Advance to p=quarantine; pct=10, increase gradually |
| 9–12 | Full p=reject enforcement |
The investment is modest. The protection is significant. Every week without DMARC enforcement is a week attackers can freely impersonate your domain.