DMARC Email Security for Solano County Businesses

If someone can send emails that look like they come from your business domain, your customers are one click away from wiring money to a criminal. DMARC is the protocol that stops this — and most small businesses in Solano County haven’t set it up.

What DMARC Actually Does

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving email servers — Gmail, Outlook, Yahoo — how to handle messages claiming to be from your domain. Without it, anyone can put your business name in the “From” field of an email and your customers have no way to know it’s fake.

With DMARC properly configured, spoofed emails get flagged, quarantined, or outright rejected before they ever reach an inbox.

The Two Protocols Behind DMARC

DMARC relies on two underlying authentication systems. Both need to be in place before DMARC can work.

SPF (Sender Policy Framework)

SPF is a DNS TXT record listing every server authorized to send email on your behalf. A basic Google Workspace SPF record looks like this:

v=spf1 include:_spf.google.com ~all

If an email arrives from a server not on this list, the receiving server knows it’s suspicious. You need to include every legitimate sender — your email provider, your website’s contact form, your invoicing software, your marketing platform.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the email hasn’t been tampered with in transit.

Most email providers (Google Workspace, Microsoft 365) have a DKIM setup wizard in their admin panel. You generate the key, add the DNS record, and activate signing.

The Three DMARC Policy Levels

DMARC enforcement is graduated. Always start at the first level and work your way up — jumping straight to “reject” before auditing your senders will break legitimate email delivery.

• p=none (Monitor): No emails are blocked. You receive daily reports showing who is sending email using your domain. Start here to identify all legitimate senders and catch misconfigurations.
• p=quarantine (Spam folder): Emails that fail authentication are routed to the recipient’s spam folder. Move here once your SPF and DKIM records are complete and tested.
• p=reject (Full protection): Emails that fail authentication are silently dropped. This is the gold standard — no spoofed email from your domain will ever reach a recipient.

A starter DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:[email protected]

The rua tag specifies where aggregate reports are sent. These XML reports show you exactly which IP addresses are sending email as your domain. Review them for two to four weeks before escalating your policy.

Why Small Businesses Are Prime Targets

Attackers target small businesses precisely because they assume email authentication isn’t configured. A spoofed invoice from your domain is far more convincing to your clients than a random phishing attempt. The consequences compound:

• Your client loses money to a fraudulent wire transfer
• Email providers start flagging all your legitimate emails as spam
• Your domain reputation tanks, hurting deliverability for months
• You lose the trust you spent years building — and in the worst case, a spoofed email becomes the entry point for a full ransomware attack

As CISA recommends, email authentication is one of the most impactful steps any organization can take to reduce phishing risk.

For more on how modern phishing works — including AI-generated attacks we’re seeing in Solano County — read our post on AI phishing targeting local teams.

Common Implementation Mistakes

We set up DMARC for businesses across Solano County and see the same errors repeatedly:

• Forgetting third-party senders: QuickBooks, Mailchimp, your website’s form handler, and your CRM all send email as your domain. Miss one in your SPF record and those legitimate emails start failing authentication.
• Skipping the monitoring phase: Jumping to p=reject without reviewing reports first is the fastest way to block your own invoices and newsletters.
• Not checking DKIM alignment: SPF can pass even when the visible “From” domain doesn’t match. DKIM alignment ensures the domain your customer sees is the domain that actually signed the message.
• Ignoring the reports: DMARC reports are only useful if someone reads them. Set a calendar reminder to review them weekly during the rollout phase.

What to Do Next

If you’re handling email for a business, you need DMARC. The setup is straightforward if you’re comfortable with DNS records. If you’d rather have it done right the first time, our managed IT team handles the full implementation — SPF, DKIM, DMARC, ongoing report monitoring, and gradual policy escalation.

Already worried your domain may have been spoofed? Watch for the warning signs in our guide to 7 security mistakes that invite malware.

Don’t wait until a client calls about a fraudulent invoice with your name on it. Book a consultation and we’ll audit your domain’s email authentication setup — typically in under an hour.