The Email Spoofing Problem

Anyone can send an email claiming to be from your domain. Without proper email authentication, there is no technical barrier stopping a scammer from sending "hello@yourcompany.co.uk" to your clients, suppliers, or employees. This is the basis of business email compromise (BEC) — the fastest-growing category of cybercrime targeting UK businesses, with losses exceeding £1 billion annually according to Action Fraud data.

Three DNS records — SPF, DKIM, and DMARC — collectively solve this problem. VP Pulse checks all three for any UK domain.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists which mail servers are authorised to send email from your domain. A receiving mail server checks whether the sending server's IP address is on this list. If not, the email fails SPF.

A strong SPF record looks like: v=spf1 include:spf.protection.outlook.com -all

The -all at the end is critical — it tells receiving servers to reject email from unlisted senders. Many UK organisations use ~all (soft fail) which only flags, rather than rejects, suspicious email. This weakens protection significantly.

SPF Limitations

SPF only checks the server IP, not the message content. It also breaks with email forwarding. This is why SPF alone is insufficient — DKIM and DMARC are required to complete the picture.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email. The sending mail server signs the message with a private key; the public key is published as a DNS TXT record. Receiving servers verify the signature — proving the email was not modified in transit and came from an authorised server.

DKIM is more resilient than SPF because the signature travels with the email, surviving forwarding. Most UK email platforms (Microsoft 365, Google Workspace, Mimecast) support DKIM — it simply needs to be enabled and the DNS record published.

DMARC — Domain-based Message Authentication

DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with emails that fail authentication. It has three policy levels:

p=none — Monitor only. Failed emails are delivered but reported. Starting point for most organisations.
p=quarantine — Failed emails go to spam. Provides real protection while allowing tuning.
p=reject — Failed emails are blocked entirely. Maximum protection, but requires SPF and DKIM to be correctly configured first.

DMARC also enables aggregate reporting (rua=) and forensic reporting (ruf=) — sending daily reports from participating mail servers showing authentication results for all email claiming to be from your domain. This visibility is invaluable for detecting spoofing attempts.

The UK Implementation Gap

VP Pulse analysis shows that a significant proportion of UK business domains have either no DMARC record or a DMARC policy of p=none — providing no actual protection against spoofing. Financial services and legal firms are better protected than average, but the SMB sector has widespread gaps.

Google and Yahoo announced in 2024 that bulk senders (over 5,000 emails/day) must have DMARC in place. Microsoft is expected to follow. For UK businesses sending marketing email or supplier communications at scale, DMARC is now effectively mandatory.

Implementation Checklist

Enable DKIM signing in your email platform (Microsoft 365, Google Workspace, etc.)
Publish your DKIM public key as a DNS TXT record
Create an SPF record listing all authorised sending services
Create a DMARC record starting with p=none and a reporting address
Monitor DMARC reports for 4–8 weeks to identify all legitimate sending sources
Move to p=quarantine, monitor for another 4 weeks
Move to p=reject for maximum protection

Check Your Domain Now

VP Pulse checks DMARC policy, SPF strength, and DKIM coverage for any domain in seconds. Use the domain scan tool to see your current email security status — no account required.

DMARC, SPF, and DKIM: The Complete Email Security Guide for UK Businesses