Categories: Uncategorized

Why Small Businesses Need Managed DMARC, SPF and DKIM – Now, Not Later

For most small businesses, email is how quotes go out, invoices come back, and purchase orders get approved. It is also how many cyber attacks start. As major providers such as Google and Microsoft tighten their requirements for email authentication, small organisations that ignore DMARC, SPF and DKIM are increasingly exposed to both security risk and deliverability issues.

Managed email authentication platforms (for example Sendmarc and similar services) exist to solve this in a structured, low-friction way. This article explains, in practical terms, why small businesses should be using one of these services, either directly or via their managed service provider (MSP).

1. Email is your cashflow, not just your inbox

For many small organisations, almost everything important passes through email:

Quotes and proposals
Invoices and remittances
Purchase orders and approvals
Supplier updates and contract notices

The same channel is heavily abused by attackers. Phishing and business email compromise (BEC) campaigns routinely impersonate legitimate domains to send fake invoices, payment redirections or credential-harvesting links. When an attacker can easily send mail that appears to come from @yourbusiness.com.au, it is much easier for staff, customers and suppliers to be tricked.

At the same time, major providers such as Google and Microsoft now expect senders to authenticate their email correctly. Their public guidelines state that domains which lack proper SPF, DKIM and (for higher-volume senders) DMARC are more likely to see messages rejected or routed to spam. Over time, this directly affects cashflow when quotes, invoices and approvals no longer reach the inbox reliably.

The practical takeaway is simple: if you do not actively manage SPF, DKIM and DMARC, you are more likely to be both impersonated by attackers and penalised by mail providers.

2. SPF, DKIM and DMARC in plain English

Before deciding whether to use a managed service, it helps to understand what these mechanisms actually do.

SPF – Sender Policy Framework

SPF is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. When a receiving server gets a message from @yourbusiness.com.au, it checks the SPF record to see if the sending server is authorised. If it is not on the list, that message is more likely to be rejected or treated as suspicious.

DKIM – DomainKeys Identified Mail

DKIM adds a digital signature to your outgoing email. The public key is stored in DNS, and receiving servers use it to verify that the message has not been tampered with and genuinely comes from an authorised source. When DKIM is configured correctly, messages from your domain are much harder to forge convincingly.

DMARC – Domain-based Message Authentication, Reporting and Conformance

DMARC ties SPF and DKIM together and adds policy and reporting. It lets you tell receiving servers what to do if a message claiming to be from your domain fails authentication:

p=none – only monitor and report
p=quarantine – treat failures as suspicious (often sent to spam)
p=reject – block failures outright

DMARC also generates detailed reports that show who is sending mail using your domain, which systems pass or fail, and where abuse is coming from. These reports are the main way to see whether your policies are working as intended.

While it is technically possible to configure all of this by hand, doing so across multiple services and domains, and then interpreting raw DMARC XML reports, is rarely practical for a small business.

3. Why small businesses are prime targets

Attackers deliberately target small organisations because they often combine three characteristics:

They handle money and invoices.
They have trusted brands and long-standing relationships.
They usually lack dedicated cyber security teams.

Common scenarios include:

A fake invoice sent from an address that looks like your accounts address.
An impersonated director emailing the finance team with “urgent” new bank details.
Attackers hijacking a supplier’s branding and domain to send malicious links to your staff or customers.

If your domain is not protected by properly enforced SPF, DKIM and DMARC, it is much easier for attackers to send email that appears to come from you. In many cases, the first time you hear about it is when a customer calls to ask why you sent them a suspicious message or when a supplier chases an unpaid invoice you have already “paid” to an attacker.

4. The hidden cost of “DIY DNS” for email security

On paper, implementing SPF, DKIM and DMARC is just a matter of publishing a few DNS TXT records. In reality, the ongoing management is where most small businesses struggle.

Typical pain points include:

Multiple sending systems
Most organisations use a mix of platforms: Microsoft 365 or Google Workspace, marketing tools, finance systems, ticketing systems and sometimes phone systems that send voicemail notifications. Each one must be represented correctly in SPF and DKIM and monitored via DMARC.
SPF record limits and complexity
SPF has a hard limit on the number of DNS “lookups” it can perform. If a record contains too many external includes, it can break, leading to legitimate email being rejected.
Hard-to-read DMARC reports
DMARC aggregate reports are sent as large XML files from dozens of providers. Manually opening and interpreting them is tedious, and it is easy to miss important patterns or abuse.
Constant change
New tools, suppliers and integrations appear regularly. Any new system that sends as your domain should trigger an SPF/DKIM/DMARC review, but in practice this step is often forgotten.

For a small internal team or business owner, this becomes an ongoing technical burden. For MSPs, building an internal DMARC analytics and reporting platform is often not cost-effective when specialist solutions already exist.

5. How managed DMARC/SPF/DKIM platforms solve the problem

Managed email authentication platforms are built specifically to handle the complexity described above. While each vendor has its own strengths, most of them provide a core set of capabilities that directly address the pain points.

Centralised visibility

Instead of dealing with raw XML reports, you see dashboards that summarise:

which services and hosts send mail for your domain;
how much of that traffic passes SPF and DKIM;
how much traffic aligns with your DMARC policy; and
where suspicious or clearly unauthorised sources are located.

Guided path to safe DMARC enforcement

DMARC is most effective when your policy is set to quarantine or reject unauthenticated messages. That change can be risky if you are not confident your legitimate senders are configured correctly. Managed platforms typically guide you through a staged approach:

Start at p=none to collect data without impacting delivery.
Identify and fix legitimate services that are failing SPF or DKIM.
Gradually tighten the policy towards quarantine and then reject.

This reduces the risk of accidentally blocking your own invoices or marketing campaigns.

Intelligent SPF management

Many platforms offer SPF “flattening” or equivalent capabilities. They maintain a clean, provider-managed SPF record for you, keeping it under technical limits and adjusting automatically when underlying services change their published records. This avoids brittle, manually edited SPF entries that silently fail over time.

Multi-domain and multi-tenant support

Small businesses often have multiple domains (for example a .com and a .com.au), and Managed Service Providers may manage dozens or hundreds of domains for their clients. Managed DMARC platforms are designed for this reality. They provide multi-domain dashboards, consistent policy templates and alerting when a new domain starts to be used for email.

Integration with cloud email platforms

Modern services integrate with Microsoft 365, Google Workspace and common marketing and transactional email platforms. This allows them to:

detect new sending sources automatically;
provide platform-specific configuration instructions; and
push certain configuration changes where supported.

The result is a more robust configuration with less manual effort and a lower risk of human error.

6. Deliverability: staying visible in Gmail and Outlook

Security is only one side of the story. The other is deliverability: whether your legitimate messages reach the inbox rather than the junk folder.

Both Google and Microsoft have made it clear that properly authenticated email is more likely to be accepted and placed in the inbox. Over time, domains that consistently fail SPF, DKIM or DMARC checks can accumulate a poor reputation. That reputation applies across the board, not only to bulk mail. Even simple one-to-one messages such as quotes and purchase orders can be affected.

Managed platforms improve deliverability by helping you close authentication gaps quickly, monitor trends in pass and fail rates, and keep your configuration aligned with current best practice. The net effect is that your legitimate mail is more likely to be seen and acted upon.

7. Brand trust and external expectations

When your domain is abused in a phishing or fraud campaign, the impact is not limited to the immediate incident. Customers and partners remember that the fraudulent message appeared to come from you. Repeated incidents damage trust, and in some cases can influence whether organisations are comfortable continuing to do business with you.

There is also a growing expectation from insurers, auditors and enterprise customers that basic security controls are in place. While SPF, DKIM and DMARC are not formal legal requirements for small businesses, they are increasingly considered part of reasonable technical due diligence. Having a managed authentication service in place makes it easier to demonstrate that you are taking email security seriously.

8. What “good” looks like for a small business

For a typical small organisation using Microsoft 365 or Google Workspace, a sensible end-state looks like this:

SPF configured correctly
Your SPF record lists only legitimate services, remains under technical limits and is reviewed when new platforms are introduced.
DKIM enabled for primary platforms
Microsoft 365 or Google Workspace, along with major marketing or transactional services, sign messages with DKIM using strong keys.
DMARC in enforcement mode
Your DMARC policy is set to quarantine or reject unauthenticated messages, and alignment settings ensure unauthorised use of your domain is blocked.
Managed reporting and monitoring
XML reports are fed into a DMARC platform that aggregates and visualises them, alerts you to suspicious activity and provides clear guidance when configuration needs to change.
Documented change process
Any time a new system needs to send email as your domain, updating SPF, DKIM and DMARC is a standard step rather than an afterthought.

For many small businesses, this level of maturity is only realistic when a managed DMARC/SPF/DKIM service is in place, usually supported by an MSP.

9. Choosing and using a managed service

There are several reputable managed DMARC, SPF and DKIM providers internationally, including platforms such as EasyDMARC, Sendmarc, PowerDMARC and others. While features vary, the evaluation criteria for a small business are relatively consistent.

Key points to consider:

Ease of onboarding
How quickly can your domains and mail services be brought into the platform?
Clarity of reporting
Can non-technical managers understand the dashboards and reports?
Policy guidance
Does the platform guide you through the journey from monitoring to full enforcement without guesswork?
Support
Is there responsive support that understands small business realities and, ideally, local regulatory and threat context?
MSP alignment
If you work with a managed service provider, does the platform provide multi-tenant management and appropriate access controls?

In practice, many small organisations will rely on their MSP to select and manage the platform. The important part is that a structured, monitored service is in place, rather than a one-off DNS change that is never revisited.

10. The business case on one page

When presenting this to owners or directors, the case for a managed DMARC/SPF/DKIM service can be summarised as follows.

Risk reduction
Lower probability of successful phishing and business email compromise using your domain, reducing the chance of fraudulent payments and data exposure.
Revenue and cashflow protection
Improved deliverability means quotes, invoices and approvals are more likely to reach the inbox and be actioned on time.
Reputation and trust
Harder for attackers to abuse your brand, and easier to show customers, partners and insurers that basic controls are in place.
Operational efficiency
No need for internal staff to manage complex DNS records and DMARC XML; the task is handled by a specialist platform on a predictable subscription model.

Email remains the primary channel through which money and instructions move in and out of small businesses. Attackers know this, and so do the major email providers. SPF, DKIM and DMARC have shifted from “nice to have” technical extras to basic security hygiene.

For most small organisations, the most reliable way to reach and maintain that standard is to adopt a managed DMARC/SPF/DKIM service, either directly or through an MSP like Milnsbridge Managed IT Services. It turns a complex mix of DNS records and raw logs into a controlled, visible and auditable safeguard for your brand, your customers and your cashflow.