When a Donegal accountancy firm's clients started receiving emails appearing to come from the firm's real domain — asking them to click a link and update their banking details — the firm had not been hacked. Their email system was completely intact. What the attacker had done was far simpler: they had sent emails from their own server that falsely displayed the firm's domain name in the From field. Because the firm had no DMARC record, there was nothing to stop it.
DMARC is the control that prevents this attack. It tells receiving mail servers what to do when an email claims to come from your domain but does not pass the authentication checks that prove it is genuine. Without DMARC, any criminal can send a convincing email that appears to come from your business address. With DMARC at enforcement level, those fraudulent messages are quarantined or rejected before they reach anyone.
The NCSC Ireland lists email authentication as a baseline control for all Irish organisations.[^1] Adding it takes about five minutes and costs nothing. This guide walks you through it.
What You Need Before You Start
Before adding a DMARC record, your domain should have SPF and DKIM already configured. DMARC builds on both — it tells receiving servers what to do when an email fails those checks. If you have not set up SPF and DKIM yet, read our guide to email authentication first, then come back here.
You also need access to your domain's DNS settings. This is managed through whoever you registered your domain with — for Irish businesses, common providers include Blacknight, Hosting Ireland, and 123-reg — or through a DNS management service like Cloudflare. If you are not sure who manages your DNS, ask your IT support or check your domain registrar account.
Understanding the DMARC Record
A DMARC record is a TXT record added to your DNS at the subdomain _dmarc.yourdomain.ie. It contains three key instructions: what policy to apply to failing emails (none, quarantine, or reject), where to send reports about authentication failures, and what percentage of emails the policy applies to.
A basic DMARC record looks like this: v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
Start with p=quarantine rather than jumping straight to p=reject. This sends failing emails to spam rather than blocking them outright, giving you a safety net while you verify that your legitimate email is correctly authenticated. After two to four weeks of reviewing reports and confirming everything is working, move to p=reject.
Adding the Record: Step by Step
Log in to your DNS provider. For Cloudflare users, go to your domain in the dashboard, select DNS, and choose Records. For Blacknight, log in at cp.blacknight.com and navigate to DNS Management. For Hosting Ireland or 123-reg, use the DNS Zone Editor in your control panel. If your domain is managed by your web developer, share the following instructions with them.
Create a new TXT record. Set the Name or Host field to _dmarc. Set the Value or Content field to your DMARC record: v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100 — replacing yourdomain.ie with your actual domain and [email protected] with an email address you control. Set the TTL to 3600 or leave it as the default. Save the record.
DNS changes typically propagate within a few minutes. Once the record is live, verify it using the free DMARC lookup at mxtoolbox.com — enter your domain name and it will return your new DMARC record and confirm it is valid.
Has your domain been used to send fraudulent emails targeting your clients or suppliers? Book a free 20-minute strategy call — we check email authentication configuration as part of every Irish SME security review and can confirm whether your domain is currently protected.
Microsoft 365 Users: One Extra Step
If you use Microsoft 365 for your business email, enable DMARC reporting in the Microsoft Defender portal once your record is live. Go to security.microsoft.com, navigate to Email and Collaboration, then Policies and Rules, then Threat Policies, then Email Authentication Settings, and select the DMARC tab. This shows you whether your record is detected and in enforcement mode. While you are there, check the DKIM tab and enable DKIM signing for your domain if it is not already active — DMARC enforcement relies on DKIM being correctly configured.
Google Workspace Users: Check DKIM First
For Google Workspace, verify that DKIM is active before enabling DMARC enforcement. Go to admin.google.com, navigate to Apps, then Google Workspace, then Gmail, then Authenticate Email. Select your domain. If a DKIM key has been generated but not yet published in DNS, copy the TXT record value and add it to your DNS as a TXT record with the name google._domainkey.yourdomain.ie. Once DKIM is active and sending correctly, your DMARC quarantine policy will begin enforcing.
Reading Your DMARC Reports
Once your DMARC record is live, you will start receiving aggregate reports from major email providers — Google, Microsoft, Yahoo — at the address you specified in the rua= field. These reports arrive as XML files and show every mail server that sent email claiming to be from your domain, and whether those emails passed authentication checks. This information is genuinely useful: it tells you whether your legitimate email is correctly authenticated and flags any servers attempting to impersonate your domain.
Reading raw XML is impractical. Free tools such as DMARC Analyser and Postmark's DMARC Monitoring Tool parse the reports into readable summaries. Use one of these for the two to four weeks before you move to a reject policy.
Moving to Reject Policy
After two to four weeks of monitoring your reports and confirming that all legitimate email is passing authentication, change p=quarantine to p=reject in your DMARC record. With reject policy active, receiving servers will block any email that fails DMARC authentication outright — it will not even reach a spam folder. This is the strongest protection against email impersonation and the setting recommended by NCSC Ireland for organisations that have confirmed their legitimate email is correctly authenticated.[^2]
The Data Protection Commission considers email security controls a relevant factor in assessing whether an organisation has taken appropriate technical measures to protect personal data under GDPR Article 32. An organisation whose domain is actively being used to defraud its clients or suppliers without DMARC protection in place faces a difficult argument that it has met its data security obligations.[^3]
What Next: Three Actions
First, check whether DMARC exists on your domain today by searching _dmarc.yourdomain.ie at mxtoolbox.com. If no record is returned, your domain is currently unprotected and any criminal can impersonate your email. Fix this today — five minutes, no cost.
Second, add the DMARC record at quarantine level and set a calendar reminder for four weeks from today to review the aggregate reports and upgrade to reject. This two-stage approach protects you immediately while giving you visibility into your email authentication before you enable the strictest enforcement.
Third, verify that SPF and DKIM are correctly configured at the same time. A DMARC policy can only enforce against failures in SPF and DKIM alignment — if either is missing or misconfigured, your DMARC record cannot function correctly. Run a full email authentication check using MXToolbox or your email provider's security dashboard.
[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cybercrime [^3]: Data Protection Commission Ireland
Related Reading
- Email Security for Irish Businesses: SPF, DKIM and DMARC Explained
- Business Email Compromise: How Donegal Firms Lose Money Every Week
- Cloudflare Email Domain Protection for Irish Businesses
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.