Here is an uncomfortable fact: unless your domain is configured to prevent it, anyone on the internet can send an email that says it comes from you. Your customers cannot tell the difference. Their mail server can, but only if you have published three DNS records that most small businesses have never heard of.
When we run cybersecurity audits on SME domains, weak or missing email authentication is the single most common finding. It is also one of the cheapest problems to fix.
Why this matters in practice
Email spoofing is not a theoretical risk. It is the entry point for the two attacks that actually hit small businesses:
- Invoice fraud. An attacker emails your customer "from" your accounts address with new banking details. The customer pays the attacker. This happens to South African businesses every week, and the money is rarely recovered.
- Internal phishing. An email "from the director" asks the bookkeeper to make an urgent payment or share credentials. No hacking required, just a forged sender address.
There is a second cost that shows up even without an attack: deliverability. Gmail and Microsoft now require authentication for senders. If your records are missing or wrong, your legitimate quotes and invoices land in spam folders, and you never find out why.
The three records, in plain language
SPF: who is allowed to send
SPF is a DNS record that lists the servers permitted to send email for your domain. When a receiving server gets a message claiming to be from you, it checks whether the sending server is on your list. No SPF record means no list, so everything passes. A typical record looks like this:
v=spf1 a mx include:_spf.yourprovider.com ~all
DKIM: proof the message was not altered
DKIM adds a cryptographic signature to every outgoing message. The receiving server verifies the signature against a public key in your DNS. If the message was tampered with in transit, or was never signed by your server at all, verification fails. Your email provider generates the keys. You publish one DNS record.
DMARC: what to do when checks fail
SPF and DKIM detect forgery. DMARC tells receiving servers what to do about it: deliver anyway, send to spam, or reject outright. It also sends you reports on who is sending mail as your domain. A DMARC record has three meaningful policy levels:
| Policy | Meaning | Protection |
|---|---|---|
p=none | Monitor only, deliver everything | None yet, but you get reports |
p=quarantine | Failed mail goes to spam | Real protection, low risk |
p=reject | Failed mail is refused | Full protection |
Most SMEs that have DMARC at all sit at p=none forever, which announces that you monitor forgery but do nothing about it. The intended path is to run at p=none for a few weeks while reading reports, fix any legitimate sender you forgot about, then move up.
Check your own domain in 60 seconds
You do not need a consultant for the basic check. On any computer, look up two DNS TXT records for your domain:
yourdomain.comTXT: look for a line startingv=spf1_dmarc.yourdomain.comTXT: look for a line startingv=DMARC1
Free web tools like MXToolbox will run both checks if you prefer a form to a terminal. If either record is missing, you are spoofable today. If DMARC says p=none, you are still spoofable, you just have a record that says so politely.
The five-tier maturity model
In our audits we score email security as a ladder, because the fixes build on each other:
- SPF published. The baseline. Minutes to set up.
- DKIM signing. Usually one toggle plus one DNS record at your provider.
- DMARC enforced. At quarantine or reject, not none.
- MTA-STS. Forces encrypted delivery between mail servers.
- BIMI. Your verified logo next to messages in Gmail and others. Requires enforced DMARC first, which is why it signals real maturity.
Tiers 1 to 3 are where the risk reduction lives, and a competent provider or IT person can complete them in an afternoon. Tiers 4 and 5 are polish that most competitors will not have, which is exactly why they are worth doing once the basics are in place.
The bottom line
Email authentication is the rare security control that is cheap, fast, measurable from the outside, and directly tied to a fraud pattern that targets businesses your size. Check your two DNS records today. If something is missing, that is your highest-return security task this month.