Someone Is Sending Emails From Your Domain Right Now. Here Is How to Stop Them.

A supplier in Sligo received an email from your business asking them to update their bank account details before the next payment run. The email came from your exact domain. Your name in the From field, your company address, everything correct. Your accountant never sent it. A fraudster did.

Without DMARC configured on your domain, this attack requires no access to your systems, no password, and no technical sophistication. Anyone can send an email that appears to come from your business address. The tool that prevents it takes about two hours to set up and is free.

What Is Email Impersonation?

Email impersonation is a fraud technique in which an attacker sends emails that appear to originate from a legitimate business domain — without ever accessing that business's email system — by exploiting the absence of email authentication standards.

The three standards that prevent this are SPF, DKIM, and DMARC. Together they tell receiving email servers how to verify that a message genuinely came from the organisation it claims to represent, and what to do with messages that fail that verification.

The Current Situation

• DMARC is absent or set to monitoring-only on the majority of Irish SME domains — impersonation emails are delivered rather than blocked [^1]
• Business email compromise, which frequently uses domain impersonation as its first step, is the highest-value cybercrime category targeting Irish businesses annually
• An Garda Síochána's National Cyber Crime Bureau cites email impersonation as one of the most commonly reported fraud vectors by Irish businesses [^2]
• The digitaltrust.ie framework, which has assessed over 100,000 Irish domains, finds fewer than 20% have DMARC set to enforcement level
• Cyber insurance underwriters now routinely ask for DMARC status during policy applications

If you have never configured DMARC, your domain is open to impersonation right now. The check takes thirty seconds.

Want to know whether your domain is currently open to impersonation? Visit mxtoolbox.com, enter your domain, and run a DMARC lookup. If it shows p=none or no record found, anyone can send email as your business. Book a free 20-minute strategy call to understand what fixing it involves.

How the Three Standards Work Together

SPF — Sender Policy Framework — publishes a list of the mail servers authorised to send email on behalf of your domain. Any server not on that list fails SPF verification.

DKIM — DomainKeys Identified Mail — adds a cryptographic signature to every outgoing email, allowing the recipient's server to verify the message has not been tampered with and genuinely originated from an authorised source.

DMARC — Domain-based Message Authentication, Reporting and Conformance — ties SPF and DKIM together and tells receiving servers what to do when a message fails: deliver it anyway, quarantine it to spam, or reject it outright. It also sends reports to the domain owner showing where email claiming to be from their domain is originating.

The critical point is DMARC's policy setting. A policy of p=none means DMARC is watching but taking no action — impersonation emails are still delivered. A policy of p=quarantine sends suspicious messages to spam. A policy of p=reject stops them entirely. Most Irish SMEs that have DMARC at all are set to p=none, which provides reporting but no protection.

For a Donegal solicitor, a Letterkenny accountancy practice, or any business that sends invoices or payment instructions by email, p=reject is the only setting that actually protects clients and suppliers from being defrauded in the business's name.

Why This Matters to Your Business Right Now

Email impersonation does not only defraud your suppliers and clients. It damages your reputation. When your domain is used to send phishing emails, recipients who fall victim associate the harm with your business name. Over time, your domain's sender reputation degrades, causing legitimate emails to be filtered as spam.

The legal dimension compounds this. Under GDPR, if your domain is impersonated to obtain personal data from clients, your business may face questions about whether adequate controls were in place. Implementing DMARC at enforcement level is a baseline control that regulators expect organisations handling personal data to have in place. It is also one of the simplest.

What Next

1. Check your current DMARC status today. Use mxtoolbox.com or Google Admin Toolbox to look up your domain's DMARC record. Note whether a record exists and what the policy is set to.

2. Publish SPF and DKIM if not already present. Your email provider — Microsoft 365, Google Workspace, or whoever hosts your business email — has documentation on how to add these records to your domain DNS. Typically a 30-minute job for your IT provider.

3. Move DMARC to p=quarantine, then p=reject. Start at p=quarantine to catch legitimate sending sources you may have overlooked, review reports for two to four weeks, then move to p=reject once all legitimate mail passes authentication.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• The 10-Minute Security Review Every Donegal Business Should Do Every Quarter
• Phishing Simulations: How to Run Them Without Destroying Employee Trust
• AI Voice Cloning Fraud: The Deepfake CEO Scam Hitting Irish SMEs

[^1]: NCSC Ireland — Email Security Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.