Email Security6 min read

Email Security in 2025: Why DMARC Is No Longer Optional for UK Businesses

Google, Yahoo, and now Microsoft require DMARC for bulk email senders. UK businesses without DMARC risk email delivery failures and brand impersonation. Here's how to comply.

DMARCemail securityGoogleMicrosoftphishingUK compliance

The Industry Mandate

In February 2024, Google and Yahoo began requiring DMARC for senders of more than 5,000 emails per day to Gmail or Yahoo accounts. Emails from domains without DMARC were moved to spam or rejected outright. For UK businesses sending newsletters, transactional email, or marketing campaigns, this was a wake-up call.

Microsoft followed with similar requirements for Outlook.com and Hotmail in 2025. With these three providers covering the vast majority of UK email recipients, DMARC is now effectively mandatory for any UK business sending email at scale.

What Happens Without DMARC

Without DMARC, your domain is vulnerable to spoofing β€” anyone can send email claiming to be you. But the consequences extend beyond spoofing:

  • Email deliverability suffers as major providers apply stricter filtering to unauthenticated domains
  • Google Workspace and Microsoft 365 mark inbound spoofed emails as suspicious, damaging your domain reputation even for legitimate replies
  • Business email compromise (BEC) attacks using your domain become easier
  • Cyber Essentials assessors now check for DMARC as part of email security controls

The Three-Step Implementation Path

Step 1: SPF and DKIM First

DMARC requires at least one of SPF or DKIM to pass. Before implementing DMARC, ensure both are configured for all sending services β€” your primary email platform, CRM, marketing tools (Mailchimp, HubSpot, Klaviyo), and transactional email services (SendGrid, Postmark, AWS SES).

Every service that sends email on behalf of your domain needs either its own SPF include or DKIM signing key. Missing any service will cause legitimate email to fail DMARC once you move to p=reject.

Step 2: DMARC Monitoring (p=none)

Create your initial DMARC record with p=none and configure aggregate reporting (rua=). This tells receiving servers to send daily reports showing authentication results for all email claiming to be from your domain β€” without affecting delivery.

Example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.co.uk; ruf=mailto:dmarc-failures@yourdomain.co.uk

Review reports for 4–8 weeks to identify all legitimate sending sources before moving to enforcement.

Step 3: Enforcement (p=quarantine β†’ p=reject)

Move to p=quarantine once all legitimate senders are authenticated. Monitor spam rates for your domain. After 4 more weeks, move to p=reject β€” the maximum protection level that blocks all spoofed email outright.

UK DMARC Reporting Tools

Raw DMARC reports are XML files that are unreadable without a parser. Several UK-friendly tools aggregate and visualise these reports:

  • DMARC Analyser (multi-region including UK)
  • Postmark's free DMARC reporting (up to 10,000 records)
  • Google Postmaster Tools (for Gmail delivery data specifically)
  • Valimail Monitor (free tier)

Subdomains and DMARC

DMARC policy applies to the domain and all subdomains unless a subdomain policy is specified. If you use subdomains for marketing email (newsletter.yourdomain.co.uk) or transactional email (notifications.yourdomain.co.uk), ensure each has SPF/DKIM configured before moving to p=reject on the parent domain.

Check Your Domain Now

VP Pulse checks DMARC policy, SPF qualifier, and DKIM selector coverage for any domain in seconds. Run a free email security scan at pulse.vpnetworks.co.uk/scan.

For help implementing DMARC across complex sending environments, contact VantagePoint Networks.

Monitor Your UK Domain for Free

VP Pulse checks TLS, DMARC, SPF, DKIM, DNSSEC, IPv6, and security headers for any domain in under 10 seconds β€” no login required.

Scan a domain β†’Talk to an expert

Related Articles