Email Security for Irish Businesses: SPF, DKIM and DMARC Explained

In today's digital world, email is the lifeblood of most Irish businesses. It's how you communicate with clients, suppliers, and your team. But what if that trust is broken? What if a fraudster pretends to be you, or someone in your company, to trick your customers or even your own finance department?

This isn't a hypothetical threat. Business Email Compromise (BEC) and phishing attacks are costing Irish SMEs millions. Just recently, the Gardaí have been active in Donegal, investigating international fraud schemes that have seen over €1 million stolen from businesses through impersonation attacks.

The problem is that traditional email security often isn't enough to stop sophisticated fraudsters from impersonating your business. They can send emails that look legitimate, coming from your domain, even when they're not. This erodes trust, leads to financial losses, and can severely damage your reputation.

The Hidden Threat: How Impersonation Works

Imagine one of your suppliers receives an email, seemingly from your CEO, asking them to change bank account details for an upcoming payment. Or perhaps your finance team gets an urgent request, appearing to be from a senior manager, to transfer funds to a new account. These are classic BEC scenarios, and they rely on the fraudster successfully impersonating a trusted entity.

Without proper email authentication, it's surprisingly easy for criminals to send emails that appear to originate from your domain. They're not hacking your email system; they're simply forging the sender's address. This is like someone sending a letter with your company's letterhead, but it never actually came from your office. The recipient has no easy way to verify its authenticity.

The consequence of unchecked email impersonation can be devastating, leading to significant financial losses, reputational damage, and a breakdown of trust with your clients and partners.

The Solution: SPF, DKIM, and DMARC – Your Email's Security Guards

Fortunately, there's a powerful trio of technologies designed to combat email impersonation: SPF, DKIM, and DMARC. Think of them as security guards for your email, verifying that messages claiming to be from your domain are genuinely authorised.

1. SPF (Sender Policy Framework): Authorised Senders Only

SPF is like a guest list for your email domain, telling receiving mail servers exactly which IP addresses are allowed to send emails on your behalf. If an email arrives claiming to be from your domain but comes from an unlisted IP address, the receiving server knows it's suspicious.

It's a simple but effective way to prevent fraudsters from sending emails using your domain from their own servers. Without SPF, anyone can potentially send an email pretending to be from your company, making it harder for recipients to trust your communications.

2. DKIM (DomainKeys Identified Mail): Digital Signature for Your Emails

DKIM adds a digital signature to your outgoing emails, allowing receiving servers to verify that the email hasn't been tampered with in transit and truly originated from your domain. This signature is like a tamper-proof seal on an envelope.

When you send an email, your mail server signs it with a private key. The receiving server then uses a public key (published in your domain's DNS records) to verify that signature. If the signature doesn't match, or if the email content has been altered, the email is flagged as untrustworthy. DKIM provides an extra layer of assurance that the email's content is authentic and hasn't been forged.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance): The Policy Enforcer

DMARC brings SPF and DKIM together, allowing you to tell receiving mail servers what to do with emails that fail authentication checks. It's the policy layer that dictates the action to take: monitor, quarantine, or reject.

DMARC also provides valuable reporting, giving you insights into who is sending emails using your domain, both legitimate and fraudulent. This allows you to identify and block unauthorised senders effectively. It's the ultimate control mechanism, ensuring that your email security policies are enforced across the internet.

DMARC Policy Levels Explained:

• p=none (Monitoring): This is the safest starting point. Emails that fail SPF or DKIM are still delivered, but you receive reports on these failures. This allows you to understand your email ecosystem and identify legitimate senders that might not yet be compliant.
• p=quarantine (Isolate): Emails that fail authentication are sent to the recipient's spam or junk folder. This significantly reduces the chances of them reaching an inbox and causing harm, while still allowing you to review potential false positives.
• p=reject (Block): This is the strongest policy. Emails that fail authentication are outright rejected and never delivered. This provides the highest level of protection against impersonation but should only be implemented after thorough testing with p=none and p=quarantine to avoid blocking legitimate emails.

Action: How to Implement SPF, DKIM, and DMARC for Your Irish Business

Implementing these email security measures might sound technical, but it's a crucial step for any Irish SME serious about protecting itself from fraud. Here's a simplified approach:

Step 1: Check Your Current Status with MXToolbox

Before you start, it's wise to see where you stand. Use a free online tool like MXToolbox to check your domain's current SPF, DKIM, and DMARC records. Simply enter your domain name, and it will show you if these records are present and correctly configured. This will give you a baseline and highlight any immediate gaps.

Step 2: Configure SPF Records

Work with your IT provider or email service administrator to create or update your SPF record in your domain's DNS settings. This record will list all authorised mail servers for your domain. Be comprehensive to avoid legitimate emails being flagged as spam.

Step 3: Implement DKIM Signatures

Your email service provider (e.g., Microsoft 365, Google Workspace) will typically have instructions on how to enable DKIM for your domain. This involves generating a public/private key pair and publishing the public key in your DNS records. This step ensures your emails are digitally signed.

Step 4: Deploy DMARC (Start with p=none)

Once SPF and DKIM are in place, you can add your DMARC record to your DNS. Crucially, start with a p=none policy. This allows you to gather reports and identify any legitimate email sources that might be failing authentication without impacting email delivery. Monitor these reports carefully.

Step 5: Gradually Increase DMARC Policy Enforcement

After a period of monitoring (weeks to months, depending on your email volume and complexity), and once you're confident that all legitimate emails are passing SPF and DKIM checks, you can gradually move to p=quarantine and eventually p=reject. This phased approach minimises disruption and ensures a smooth transition to full protection.

What to do now:

• Check your domain: Use MXToolbox to see your current SPF, DKIM, and DMARC status.
• Review your email providers: Understand how your current email service handles SPF, DKIM, and DMARC.
• Plan your implementation: Work with a trusted IT partner to implement these protocols, starting with DMARC p=none.
• Educate your team: Ensure your staff are aware of BEC and phishing threats, even with these technical controls in place.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

Ready to Strengthen Your Security?

If email fraud and impersonation are a concern for your business, a structured review will give you a clear picture and a prioritised action plan.

Book a free 20-minute strategy call — no jargon, no hard sell, just honest advice tailored to your business.

Related Reading

• What is a vCISO and does your Irish SME need one?
• Cyber Insurance for Irish SMEs: What you need to know
• Multi-Factor Authentication (MFA): The single most effective security control for Irish SMEs

Sources

• Donegal Daily. (2026, February 4). BREAKING: Gardai raid Donegal properties during online fraud blitz. Retrieved from https://www.donegaldaily.com/2026/02/04/breaking-gardai-raid-donegal-properties-during-online-fraud-blitz/
• Valimail. (n.d.). SPF, DKIM, and DMARC made simple: An easy guide to email authentication. Retrieved from https://www.valimail.com/blog/dmarc-dkim-spf-explained/
• Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved from https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/