What is DMARC — and why does every small business need it?
Here's something most small business owners don't know: right now, anyone in the world can send an email that looks exactly like it came from your domain.
No hacking required. No access to your email account. Just your domain name — which is public — and a mail server willing to lie about where a message came from.
DMARC is one of the three DNS records that closes this hole. And in 2026, not having it is like leaving your front door unlocked.
Quick check: Does your domain have DMARC? Run a free scan at sentryscore.com — it checks in under 60 seconds.
What is email spoofing?
Email spoofing is when someone sends an email using your domain name as the "From" address — without your permission or access to your account.
Imagine a scammer sends your clients an email that says it's from [email protected], asking them to wire money to a new account. Your clients have no reason to suspect it's fake — it shows your firm's name in the sender field.
This kind of attack — called Business Email Compromise (BEC) — cost U.S. businesses over $2.7 billion in 2022 alone, according to the FBI. And small practices (law, dental, medical) are frequent targets because they handle sensitive client relationships and financial transactions.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a DNS record you add to your domain that tells receiving mail servers what to do with emails that fail authentication checks.
In plain English: DMARC lets you say "any email claiming to be from my domain that fails our security checks should be rejected."
It works by checking whether incoming email passes either:
- SPF — Is this email coming from a server I've authorized?
- DKIM — Does this email have a cryptographic signature I created?
If neither check passes and you have DMARC set to reject, Gmail, Outlook, and other major providers will silently discard the spoofed email before it reaches your client's inbox.
What a DMARC record looks like
DMARC lives in your DNS as a TXT record on _dmarc.yourdomain.com. A basic policy looks like this:
v=DMARC1; p=reject; rua=mailto:[email protected]
The key part is p=reject. That's the enforcement policy:
p=none— Monitor only. Spoofed emails still get delivered. (Useless for protection.)p=quarantine— Suspicious emails go to spam. Better.p=reject— Spoofed emails are blocked entirely. This is what you want.
Warning: Many businesses have DMARC set to p=none, thinking they're protected. They're not — none is a monitoring mode and does nothing to stop spoofing. Always check the policy value, not just whether the record exists.
Why don't most small businesses have it?
Because nobody told them to add it. DMARC, SPF, and DKIM aren't things that get configured automatically when you buy a domain or set up Microsoft 365. They require deliberate DNS changes.
When we scan small business domains, about 73% are missing a proper DMARC record. Of the ones that have it, nearly half are set to p=none — which means they're being tracked but not protected.
How to check if your domain has DMARC
There are a few ways:
Option 1: Free scan at SentryScore
Go to sentryscore.com, enter your domain, and you'll see your DMARC status (and whether it's actually enforcing) as part of your overall security score. Takes 60 seconds.
Option 2: DNS lookup
In your terminal (Mac/Linux):
dig TXT _dmarc.yourdomain.com
If you get a result with v=DMARC1, you have a record. Check the p= value to see if it's enforcing.
How to add DMARC to your domain
DMARC is added as a TXT record in your DNS settings (wherever your domain is registered — GoDaddy, Cloudflare, Namecheap, etc.).
- Log into your domain registrar
- Go to DNS management
- Add a new TXT record:
- Name/Host:
_dmarc - Value:
v=DMARC1; p=reject; rua=mailto:[email protected] - TTL: 3600 (or default)
- Name/Host:
- Save and wait for DNS to propagate (usually a few hours)
Important: If you're not already using SPF and DKIM, add those first. DMARC depends on at least one of them to work. Setting p=reject without SPF/DKIM could cause your own legitimate emails to be blocked.
The bottom line
DMARC isn't optional anymore. It's a basic hygiene requirement — like having a lock on your office door. Without it, your domain can be used to scam your clients, damage your reputation, and expose your business to liability.
The good news: it takes less than 30 minutes to set up, costs nothing, and your IT provider or registrar can do it in a single support ticket.
First step: find out where you stand.
Check your DMARC status right now
Free scan — checks DMARC, SPF, DKIM, SSL, breach history, and more. Results in 60 seconds.
Scan my domain →