Services Microsoft 365 & Modern Workplace Identity & Zero Trust Cybersecurity & AI Security Email Security & Deliverability Network, Wi-Fi & Infrastructure Backup, DR & Continuity Automation & IT Governance
Industries Approach About Us Contact Us
I am:
Core Expertise — Email Security

Your email domain is probably
being spoofed right now.

DMARC, DKIM, and SPF are the three DNS records that determine whether your email is trustworthy. We configure and enforce all three — and prevent spoofing of your domain.

DMARC to p=reject Enforcement Proofpoint & Defender for O365 Zero Spoofing Policy
What it covers

Everything included in this service

Delivered by senior engineers. Scoped and priced upfront. No scope surprises.

🔏

DMARC Implementation & Enforcement

Policy progression from p=none through p=quarantine to p=reject enforcement. Ongoing DMARC aggregate report analysis and remediation of legitimate sending sources.

SPF & DKIM Alignment

SPF audit and rebuild for all authorised sending sources. DKIM key rotation, selector configuration, and alignment verification across Exchange Online and third-party senders.

🛡️

Email Gateway Filtering

Proofpoint Essentials or Defender for Office 365 Plan 2 deployment. Anti-phishing, safe links, safe attachments, and impersonation protection configured.

📬

Deliverability Remediation

Investigation of deliverability issues including IP reputation, blacklist removal, bounce rate reduction, and bulk mail compliance.

🔄

Third-Party Sender Management

Audit of all services sending on your domain — CRM, marketing, ticketing — and correct SPF and DKIM alignment for each.

📊

Ongoing DMARC Monitoring

Monthly DMARC aggregate report review with alerts for new unauthorised sending sources. Forensic report configuration.

Platform overview
Email Security & Deliverability
Your domain is probably
being spoofed right now.
DMARC, DKIM, and SPF are the three DNS records that determine whether your email is trustworthy. We configure, enforce, and monitor all three.
The three DNS records that authenticate your email
SPF
SPF
Sender Policy Framework
Lists every server and service authorised to send email from your domain. Receiving servers check against this list.
Max 10 DNS lookups — exceeded in 6/10 environments
Must include all third-party senders (CRM, marketing, ticketing)
Fails silently without DMARC enforcement
DKIM
DKIM
DomainKeys Identified Mail
Cryptographic signature added to every outbound email. Proves the message was authorised and not tampered with in transit.
Separate key pair required per sending domain/service
Annual key rotation recommended (2048-bit minimum)
Must be configured for Exchange Online and all third-party senders
DMARC
DMARC
Domain-based Message Authentication
Ties SPF and DKIM together. Tells receiving servers what to do with mail that fails authentication — and reports back to you.
p=none: monitor only — domain still spoofable
p=quarantine: failing mail sent to junk
p=reject: failing mail blocked entirely — full protection
The DMARC enforcement journey
DMARC Policy progression from zero to full enforcement — typically 2–4 weeks
START
No DMARC
Domain fully spoofable. No visibility into who is sending.
7/10 environments
p=none
Monitor Mode
Reports enabled. All legitimate senders identified. No blocking yet.
Audit phase
p=quar.
Quarantine
Failing mail routed to junk. Spoofed emails lose inbox delivery.
Partial protection
p=reject
Full Enforcement
Spoofed emails blocked entirely. Zero delivery from unauthorised senders.
Full protection ✓
Day 1 → SPF & DKIM corrected, DMARC p=none + reporting configured
Day 3–7 → Aggregate report analysis, all senders verified
Week 2 → p=quarantine
Week 3–4 → p=reject enforced
⚠ What an unauthenticated domain enables
Domain spoofing Invoice fraud (BEC) Credential phishing Supplier impersonation CEO fraud Client deception
Email gateway — beyond default filtering
Defender O365
Microsoft Defender for Office 365
Plan 2 — advanced threat protection across email & collaboration
Safe links — real-time URL detonation on click
Safe attachments — sandbox detonation before delivery
Anti-phishing & impersonation protection
Attack Simulator for phishing awareness training
Threat Explorer & incident investigation
Deliverability
Deliverability & Reputation Management
Ensuring legitimate email reaches the inbox every time
IP & domain reputation monitoring and repair
Blacklist identification and removal process
Bounce rate analysis and bulk mail compliance
Third-party sender SPF/DKIM audit (CRM, marketing)
Monthly DMARC aggregate report review
Share your domain and we will check your DMARC, SPF, and DKIM status immediately. Before the first call, at no charge.
Tailored to your role

What this means for you

Select your role to see how this service maps to your specific situation.

Email authentication is invisible until something goes wrong

Your email looks fine from your side. But recipients may be receiving it in junk. Or attackers may be sending invoices, payment instructions, and credential requests from your domain — and your clients have no technical way to tell the difference. DMARC enforcement at p=reject means only authorised senders can successfully deliver email from your domain.

DMARC is not at enforcement level — your domain can be spoofed by anyone
No visibility into whether legitimate emails are landing in recipients' inboxes
Third-party services sending from your domain are not properly authenticated
No email gateway beyond Exchange Online default spam filtering
Discuss this with an engineer →

By the numbers

DMARC
The primary control that prevents unauthorised senders impersonating your domain
94%
Of phishing attacks are delivered by email (Verizon DBIR)
2 days
Typical time to reach p=quarantine DMARC enforcement from a standing start

You need visibility into what is being sent from your domain

Security management means more than having a firewall. DMARC aggregate reporting gives you a daily view of every mail server sending on behalf of your domain — including ones you didn't authorise. SPF and DKIM alignment tells you whether your legitimate senders are passing authentication. Without this visibility, you are flying blind.

DMARC at p=none — you can see spoofing attempts but cannot stop them
SPF record has never been audited — may have too many lookups or missing includes
DKIM is not configured for every sending source — authentication failures on legitimate mail
No process for reviewing email authentication when a new third-party tool is onboarded
Discuss this with an engineer →

By the numbers

SPF
SPF records commonly have lookup limit issues or missing third-party sender includes
DKIM
DKIM must be configured for Exchange Online and every third-party sending service
Monthly
DMARC aggregate report review and anomaly alerting under 4DS managed service

Business email compromise starts with an unauthenticated domain

The most common fraud scenario we see: a supplier's email domain is spoofed, an invoice is sent to your accounts team from what appears to be a legitimate address, and payment is made. The supplier never sent it. DMARC enforcement on both your domain and your key suppliers' domains is the primary technical control against this attack pattern.

A spoofed email from your domain could be used to defraud your clients or suppliers
You have no way to know if someone is impersonating your business by email today
Your accounts team receives payment-related emails — are the sender domains authenticated?
Business email compromise insurance claims are frequently rejected when basic authentication was not in place
Discuss this with an engineer →

By the numbers

BEC
Business email compromise is the highest-value cybercrime category per the FBI IC3 report
No DMARC
Domains without DMARC enforcement can be spoofed — clients cannot tell the difference
DNS only
DMARC is a DNS record change — no additional licence or product required

DMARC enforcement is a mandatory baseline control in NIS2 and public sector ICT frameworks

DMARC at p=reject or p=quarantine is specified in NIS2 technical implementation guidance and in most public sector email security requirements as a mandatory anti-spoofing control. Beyond compliance, a domain that can be spoofed represents a reputational and liability risk that procurement assessors are increasingly aware of and will flag in a security review.

DMARC not at enforcement level — cannot certify anti-spoofing controls in a submission
No documented email authentication policy or third-party sender register for audit purposes
Defender for O365 or equivalent gateway not deployed — email security posture below typical requirements
No evidence of periodic authentication audit or DMARC monitoring process
Discuss this with an engineer →

By the numbers

NIS2
DMARC enforcement referenced in NIS2 technical implementation guidance
ISO 27001
Practice certification covering email security controls available for submissions
48 hrs
Typical turnaround for email authentication evidence pack production
What a first review typically finds

The gaps we find in almost every environment

These are not edge cases. They are the standard state of an SME environment without an independent review.

Common

DMARC at p=none or missing

Domain spoofable by anyone. p=none monitors but does not block. Most organisations have been at this stage for years with no progression.

Frequent

SPF record broken or over limit

Records exceeding the 10-lookup DNS limit, deprecated PTR mechanisms, or missing includes for third-party senders causing legitimate mail to fail.

Many

No email gateway beyond defaults

Exchange Online default filtering is insufficient for targeted phishing and business email compromise. Defender for O365 Plan 2 or Proofpoint required.

How we deliver it

The 4DS delivery process

Four stages. No handovers to junior staff mid-project. No scope surprises.

STEP 01

Authentication Audit

DNS record review for SPF, DKIM, and DMARC. Deliverability test across major inbox providers. Third-party sender inventory.

STEP 02

Record Correction

SPF rebuilt for all authorised sources. DKIM keys generated and published. DMARC at p=none with RUA and RUF reporting configured.

STEP 03

DMARC Progression

Aggregate report analysis to identify all legitimate sending sources. Systematic progression to p=quarantine then p=reject over 2-4 weeks.

STEP 04

Ongoing Monitoring

Monthly DMARC report review. Alerts for new unauthorised senders. Annual deliverability audit and DKIM key rotation.

Get in touch

Get in touch

Share your domain name and we will run an immediate DMARC, SPF, and DKIM check before we speak. No commitment required.

  • Immediate DMARC, SPF, and DKIM status check on your domain
  • Full authentication audit with findings ranked by risk
  • Scoped and priced upfront — clear costs before any commitment

Get in touch

Tell us your domain name and we can run an immediate DMARC and SPF check before the call.

No commitment required.

Enquiry received

No commitment is required at this stage.