← Blog

Stop scammers from emailing as your company — SPF, DKIM, and DMARC without the jargon

Tenant Strike4 min read

By default, anyone can send an email that looks like it came from your domain. Three DNS records — SPF, DKIM, and DMARC — fix that. Here is what they do and why they matter for your business.

Right now, someone with no connection to your company could send an email that appears to come from your domain — your name, your address, your brand. Most businesses have nothing in place to stop it.

Why this gap exists

Email was designed decades ago, when the internet was small and nobody thought much about verification. There is no built-in check that confirms the person claiming to send from [email protected] actually works there. That gap is still present today unless you close it deliberately.

For attackers, it is a straight line to fraud. A convincing invoice that looks like it is from your company. An email to an employee that appears to be from you, asking for a wire transfer. A message to a supplier that looks like a legitimate change of bank details. None of these require breaking into anything — just borrowing your name.

SPF: a list of who is allowed to send as you

SPF stands for Sender Policy Framework. Think of it as a public list you post in your domain's DNS (Domain Name System — the directory that connects your domain name to the right servers). The list says: "These are the mail servers allowed to send email on behalf of our domain. Anyone else is unauthorized."

When a recipient's mail server gets an email claiming to be from you, it checks that list. If the message came from a server that is not on it — like an attacker's server — it fails. SPF is the first and simplest check: a basic ID at the door.

DKIM: a tamper-proof seal on every message you send

DKIM stands for DomainKeys Identified Mail. It adds an invisible digital signature to every email your company sends. When the message arrives somewhere else, the receiving mail server checks that signature against a key you have published in your DNS. If the message was altered in transit, the signature breaks. If the message never came from your server at all, there is no valid signature to check.

Think of it as a wax seal on a letter — if the seal is missing or broken, something is wrong.

DKIM is off by default in Microsoft 365. Turning it on takes a few minutes in the Exchange admin center plus one DNS update, and your IT person or domain host can handle both steps.

DMARC: the instruction that gives the other two teeth

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is the policy record that tells the world what to do when SPF or DKIM fails.

Without DMARC, a failed check is just a note in a log. The fake email may still be delivered. DMARC lets you say: "If a message fails these checks while pretending to be from our domain, reject it outright."

DMARC also comes with a reporting feature. You can receive daily summaries showing who is sending email that claims to be from your domain — including any fakes. That visibility alone is worth setting up, even before you flip to a strict policy.

The recommended path:

  1. Publish an SPF record for your domain.
  2. Enable DKIM through Microsoft 365 (it generates the key for you).
  3. Add a DMARC record starting in monitoring mode — none — to see the reports before taking action.
  4. Once you are confident your own legitimate mail is passing, tighten DMARC to quarantine, then reject.

Steps 1 and 2 can usually be done in an afternoon. Getting DMARC to reject takes a few weeks of reviewing reports, but the process is methodical rather than complicated.

What changes when all three are in place

A fake email claiming to be from your domain either gets flagged as spam or is rejected before it reaches the recipient. The supplier does not receive the fraudulent bank-change notice. The employee does not see the wire-transfer request that appeared to come from you.

It does not stop every scam — attackers can still register a look-alike domain like yourcompany-invoices.com. But it closes the easiest and most common version of the attack. And because many small businesses have not done this yet, having it in place puts you ahead of most.

Tenant Strike connects to your Microsoft 365 in read-only mode and checks whether SPF, DKIM, and DMARC are present, what your DMARC policy is currently set to, and what still needs tightening — with plain-English instructions for each step. It takes about five minutes and does not change anything itself.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.