We recently assessed the public security posture of 100 London businesses — solicitors, accountants, architects, dental practices, financial advisors. Half of them have no protection against email spoofing. Right now, anyone in the world can send an email that appears to come from their domain. Their clients would have no way to tell the difference.
The Three Letters That Matter
Email authentication comes down to three DNS records: SPF, DKIM, and DMARC. Together, they tell receiving email servers "only these servers are authorised to send email from our domain, and here's the cryptographic signature to prove it." Without them, your domain is an open door.
SPF (Sender Policy Framework) lists which servers can send email on your behalf. It's the most basic layer — a simple text record in your DNS that says "emails from our domain should only come from these IP addresses."
DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The receiving server checks the signature against a public key in your DNS. If it matches, the email is genuine. If it doesn't, someone forged it.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication. Without DMARC, a server might accept a forged email anyway. With DMARC set to "reject," the forged email never arrives.
The uncomfortable truth: Without DMARC, your SPF and DKIM records are advisory. Receiving servers can ignore them. DMARC is the enforcement mechanism — and it's the one most businesses are missing.
What We Found
We scanned 100 businesses across five sectors in central London. The results were consistent and concerning.
The pattern was remarkably consistent across sectors. Solicitors firms handling confidential client communications. Accountancy practices processing financial data. Dental surgeries managing patient records. All with the same gap: anyone could send an email that appeared to come from their domain, and their clients would have no technical reason to doubt it.
Why This Matters More Than You Think
Business Email Compromise Is a £Billions Problem
Business Email Compromise (BEC) is now the single most financially damaging category of cybercrime. It doesn't require malware, doesn't require hacking, doesn't require any technical sophistication at all. An attacker sends an email that appears to come from someone the victim trusts — their solicitor, their accountant, their boss — and asks them to transfer money, share documents, or click a link.
In conveyancing fraud alone, buyers are routinely tricked into sending house deposits to the wrong bank account by emails that appear to come from their solicitor's domain. If the solicitor has no DMARC, there's nothing technically preventing this. The email looks perfect because, from the perspective of the email system, it's indistinguishable from a real one.
Your Reputation Is at Stake
When a phishing email arrives from your domain, the damage lands on you — even though you didn't send it. Your domain gets flagged. Your deliverability drops. Your clients lose trust. And if a client suffers a financial loss because of a spoofed email from your domain, the professional liability conversation gets very uncomfortable very quickly.
It's a Compliance Issue
The Information Commissioner's Office expects organisations to implement "appropriate technical and organisational measures" to protect personal data. Email authentication is about as fundamental a technical measure as exists. If you're a law firm or medical practice handling sensitive data without DMARC, you're not meeting the baseline expectation of the regulator.
What a Spoofed Email Looks Like
From: accounts@yourfirm.co.uk
To: client@gmail.com
Subject: Updated bank details for your matter
# SPF check: SOFTFAIL (server not authorised, but no policy to enforce)
# DKIM check: NONE (no signature to verify)
# DMARC check: NONE (no policy exists — deliver anyway)
# Result: Email delivered to inbox. Looks identical to genuine email.
# Client sees: accounts@yourfirm.co.uk — no warning, no flag.
────────────────────────────────────────
# Same email sent to a firm WITH DMARC (p=reject):
# SPF check: FAIL
# DKIM check: FAIL
# DMARC check: REJECT (policy says: reject unauthorised emails)
# Result: Email rejected. Never delivered. Client never sees it.
The 15-Minute Fix
Adding DMARC protection to your domain is not a major IT project. It's three DNS records, and most businesses can implement them in under fifteen minutes. Here's what you need:
Step 1: Check What You Have
Visit ignixip.com and look up your own domain. The report will show you whether you have SPF, DKIM, and DMARC configured. If any are missing, you know where to start.
Step 2: Add SPF (If Missing)
Add a TXT record to your domain's DNS. If you use Google Workspace for email, it looks like this: v=spf1 include:_spf.google.com ~all. If you use Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all. Your email provider's documentation will tell you exactly what to add.
Step 3: Add DKIM
Generate DKIM keys through your email provider's admin console (Google Admin, Microsoft 365 Admin, or your hosting control panel). They'll give you a DNS record to publish. It's usually a TXT record under a selector subdomain like google._domainkey.yourdomain.co.uk.
Step 4: Add DMARC
Start with a monitoring policy so you can see what's happening before you enforce. Add this TXT record at _dmarc.yourdomain.co.uk:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.co.uk
# Phase 2: Quarantine (suspicious emails go to spam)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.co.uk
# Phase 3: Reject (forged emails blocked completely)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.co.uk
Start with p=none for a week to make sure your legitimate emails are passing. Then move to p=quarantine for another week. Then move to p=reject. The whole process takes about a fortnight, and the result is that no one can send emails pretending to be you, ever again.
What We See Every Day
We monitor network traffic for our clients around the clock. Every week, we see phishing attempts that use spoofed sender domains. The firms that have DMARC set to reject are protected — the spoofed emails never reach their clients. The firms without DMARC are rolling the dice every day.
The fix is free. The DNS records cost nothing. The only cost is the fifteen minutes it takes to add them. And the cost of not doing it — a single successful spoofing attack, a compromised client, a regulatory investigation — is orders of magnitude higher.
Check your domain. Fix what's missing. And if you want help, we're here.