Stop Email Spoofing: A Practical DMARC Checklist for Small Businesses

If someone can send email that looks like it’s from your domain, they can phish your team, your customers, or your vendors. The good news: three open standards—SPF, DKIM, and DMARC—let you authenticate your mail and tell receiving systems what to do with fakes. Turning these on is one of the highest-impact security wins for any small business.

What these terms mean (quickly)

• SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send mail for your domain.

• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message so receivers can verify it wasn’t altered and was authorized by your domain.

• DMARC (Domain-based Message Authentication, Reporting & Conformance) sits on top of SPF/DKIM and tells receivers how to handle messages that fail authentication—and sends you reports so you can see who’s using your domain.

Put simply: SPF says “who can send,” DKIM proves “the message is legit,” and DMARC tells the world “what to do if checks fail.” NIST recommends using all three together.

A small-business DMARC checklist

1. Inventory your senders
   List every system that sends email as you: your primary mailbox, website contact forms, invoicing/CRM, marketing platform, ticketing system, etc. You’ll validate each one in the next steps. (This avoids accidentally blocking your own mail.)

2. Publish/clean up your SPF record
   In your DNS, create a single TXT record at your root domain (e.g., example.com) that authorizes your legitimate sending services. Keep it simple and ensure you have one SPF record total at the root.

3. Enable DKIM signing for all senders
   Turn on DKIM wherever you send mail and publish the required DKIM TXT selector records in DNS. This lets receivers verify messages really came from your domain and weren’t modified.

4. Start DMARC in “monitor” mode
   Add a TXT record named _dmarc.example.com with a policy of p=none and include a reporting address (e.g., rua=mailto:dmarc-reports@example.com). You’ll now receive aggregate reports that show who’s sending as your domain and whether those messages pass SPF/DKIM.

5. Fix alignment issues
   Use the reports to ensure your legitimate platforms pass SPF or DKIM in alignment with your domain (the “From:” domain matches the domain validated by SPF/DKIM). This step prevents surprises when you tighten the policy.

6. Enforce gradually
   When your reports look clean, move from p=none to p=quarantine (send failures to spam) and then to p=reject(block failures). This phased approach is the recommended path to stop spoofing without disrupting legitimate mail.

Common gotchas (and how to avoid them)

• Multiple SPF records at the root → combine into one. Receivers may treat multiple records as invalid.

• Forgotten senders → check DMARC reports to discover unlisted services (old web forms, legacy apps).

• Leaving DMARC at p=none forever → helpful for visibility, but you only stop spoofing once you enforce.

Why this matters for small businesses

Phishing and business email compromise disproportionately target small organizations, but adopting SPF, DKIM, and DMARC significantly raises the bar for attackers and improves your email deliverability. These standards are widely recommended by U.S. government guidance for organizations of all sizes.

How CreaTech Innovations can help

We act as your single point of contact to coordinate providers and get the right configuration in place—so you don’t have to juggle multiple vendors. Want help auditing your DNS, setting up reports, and moving safely to enforcement? Schedule a quick call and we’ll help you get started.