CAI Technology
Book a demo
Menu ☰
aegis · · 8 min read

DMARC: Ultimate Anti-Phishing & BEC Protection for Your Domain

DMARC stops BEC and phishing attacks impersonating your domain. Ramp correctly from p=none → quarantine → reject in 3-6 months, with continuous monitoring via RUA reports.

CAI Technology · Last reviewed: 5/9/2026
DMARC: Ultimate Anti-Phishing & BEC Protection for Your Domain

In Short

DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is the DNS policy that tells the world what to do with emails that claim to originate from your domain but fail SPF or DKIM checks. Without DMARC, anyone can send an email pretending to be cfo@company.com, and the receiver (Gmail, Outlook) has no policy to enforce. With DMARC p=reject, spoofed emails are rejected before reaching the Inbox.

In 2026, BEC (Business Email Compromise) remains the fraud type with the highest ROI for attackers — FBI IC3 reports average losses of $137,000 per incident (Annual Internet Crime Report 2024) and total losses exceeding $2.9 billion/year. Across the EU, national CSIRTs report year-over-year increases in “fake supplier invoice” incidents that exploit the exact lack of DMARC.

For entities falling under NIS2 (Directive (EU) 2022/2555), the absence of DMARC p=quarantine or stricter constitutes a documentable gap in the mandatory technical report submitted to the competent authority.

Concrete Attacks Prevented

Scenario 1 — CEO Fraud / BEC with Impersonated Domain

The attacker sends an email appearing to come from ceo@company.com to accounting@company.com, requesting an urgent transfer to a new IBAN for a “confidential contract.” Without DMARC, the mail lands in the Inbox with a normal From header. With DMARC p=reject aligned on SPF and DKIM, the email is rejected by the receiver (even for internal Gmail if the company uses Google Workspace) before being seen by the accountant.

Scenario 2 — Phishing with Malware Link to Clients

The attacker sends mass mail appearing to come from invoices@company.com to clients, containing a “invoice” PDF with malicious macros or credential-stealing links. Without DMARC, delivery rates remain high. With DMARC p=reject, 99%+ of spoofed emails are blocked at the receiver, and you receive an RUA report with the spoofing source IPs — usable for a takedown notice.

Scenario 3 — Brand Impersonation via Look-alike + Mainline

Common case: the attacker uses f1rma.com (typosquatting) but also attempts direct spoofing on firma.com. DMARC stops the direct vector; for typosquatting, ARTEMIS detects new registrations of similar domains daily.

Business Impact

FactorWithout DMARCWith DMARC p=reject
Probability of successful BEC annually~12% (financial/real estate sector EU)<1%
Average loss per BEC incident$137,000 (FBI IC3 2024)N/A
IP/Domain Reputationslow degradation, blacklistingclean score, deliverability ↑
NIS2 Audit (essential entity)observation in authority reportbox checked
Implementation Cost€0–500 (config + 6 months monitoring)

This single control covers cumulative risks in the order of hundreds of thousands of EUR for a mid-size firm.

Implementation — Step-by-Step Guide

Step 1 — Verify Baseline (Correct SPF + DKIM)

DMARC depends on aligned SPF and/or DKIM. Before DMARC, ensure:

dig +short TXT firma.com | grep spf
dig +short TXT default._domainkey.firma.com

You should see an SPF policy (v=spf1 ...) and at least one active DKIM selector.

Step 2 — Publish DMARC p=none with Reporting

Always start at p=none with RUA to collect data for 30 days without affecting delivery:

_dmarc.firma.com.  IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@firma.com; ruf=mailto:dmarc@firma.com; fo=1; adkim=r; aspf=r; pct=100"

Use an RUA parser (open-source parsedmarc, or internal dashboard) to identify:

Step 3 — Align All Legitimate Senders

Every third-party provider (newsletter, e-invoicing, ticketing) must:

Common mistake: leaving out a provider → at p=reject, their legitimate emails are rejected → users don’t receive password resets, invoices, notifications.

Step 4 — Ramp to p=quarantine with Gradual pct

After 30 days with clean RUA:

_dmarc.firma.com.  IN  TXT  "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@firma.com; adkim=s; aspf=s"

Ramp pct: 25% → 50% → 100% over 30-60 days. Failing emails go to Spam at the receiver.

Step 5 — Final: p=reject with Strict Alignment

_dmarc.firma.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@firma.com; ruf=mailto:dmarc@firma.com; fo=1; adkim=s; aspf=s"

adkim=s and aspf=s (strict alignment) ensure that subdomains do not automatically pass under the root domain policy — useful if the attacker tries accounting.firma.com as a workaround.

For separate subdomains (e.g., marketing.firma.com with a different MTA), use sp=reject to apply recursively to subdomains without their own DMARC.

Common Confusions

“We have SPF, that’s enough.” — No. SPF only authenticates the sending IP; it doesn’t tell the receiver what to do with failures. DMARC is the meta-policy over SPF + DKIM.

“We’ll set p=reject directly, no ramp.” — High operational risk. Almost every company has ≥3 unaligned legitimate senders they aren’t aware of (legacy CRM, ticketing system, WordPress plugin). Ramping with monitoring is mandatory to avoid losing critical emails.

“DMARC slows down emails.” — False. DMARC adds 1-2 additional DNS lookups at the receiver, measurable in milliseconds. Zero perceived impact.

“Mailchimp/SendGrid newsletters will break.” — Only if not configured correctly. All major ESPs have custom domain DKIM documentation — takes 15 minutes per provider.

Check Now

ARTEMIS automatically checks DMARC policy, calculates the aligned DMARC + SPF + DKIM score, and identifies all publicly observable senders — at €2-40 per scan.

🔗 Complementary CAI Technology Solutions

Questions? tehnic@caitech.ro

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →