Email security for SMBs: why testing SPF, DKIM and DMARC is urgent
Most small and mid-sized businesses have no DMARC policy set to reject. That means anyone can send an email pretending to be you. Here is how to test your domain and fix the problem.
Your accountant receives an email from the CEO on a Tuesday morning. "Pay this supplier invoice right away - I'm traveling and can't do it myself." The sender address checks out: firstname.lastname@yourdomain.com. The accountant looks at the domain, sees it matches, and wires 47,000 euros.
The email did not come from the CEO. Anyone could have sent it, from any server in the world. Your domain had no mechanism in place to prevent that.
This scenario plays out every single day. The FBI IC3 estimates that Business Email Compromise (BEC) cost companies worldwide $2.9 billion in 2023 (FBI, Internet Crime Report 2023). In France, Cybermalveillance.gouv.fr (France's national cyberattack assistance platform) recorded over 280,000 assistance requests related to cyberattacks in 2024, most of which involved a fraudulent email as the initial attack vector.
And yet, the technical fix has existed for over a decade. It is called SPF, DKIM and DMARC.
Test your domain now. Our free email security test checks your SPF, DKIM, DMARC and BIMI records in seconds. Score out of 10 with recommendations.
SPF, DKIM, DMARC: what each protocol actually does
Before talking about adoption rates and statistics, it helps to understand what these three protocols do. They work together, but each has a distinct role.
SPF: who is allowed to send on your behalf
SPF (Sender Policy Framework) is a DNS record that lists the servers authorized to send emails for your domain. When a receiving server gets an email claiming to come from your domain, it checks the SPF record: is the sending server on the list?
In practice, an SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net -all
This means: "Only Google Workspace and SendGrid servers are allowed to send emails for this domain. Everything else must be rejected (-all)."
The common SMB pitfall: an SPF record exists, but it does not cover every service. The main mailbox provider is listed, but the CRM that sends notifications, the invoicing platform, or the newsletter tool are missing. The result: legitimate emails fail the SPF check, and the company ends up switching to ~all (soft fail) instead of -all (hard fail) - which blocks nothing.
DKIM: the signature that guarantees integrity
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message with a private key. The receiving server retrieves the public key from the domain's DNS and verifies that the message has not been altered in transit.
DKIM answers a question that SPF does not cover: even if the server is authorized, is the email content intact? An email intercepted and modified between two servers will fail DKIM verification.
The common pitfall: DKIM is enabled by default with some providers (Google Workspace, for example), but the public key is not always published in the domain's DNS. The host signs with its own key, so DKIM passes for the host's domain, not for yours. DMARC alignment fails.
DMARC: the policy that ties everything together
DMARC (Domain-based Message Authentication, Reporting and Conformance) does two things:
- It checks that SPF or DKIM passes and that the domain is aligned (the domain in the visible "From" header matches the domain verified by SPF or DKIM).
- It tells receiving servers what to do when verification fails: nothing (
p=none), send to spam (p=quarantine), or reject (p=reject).
Without DMARC, SPF and DKIM exist but nobody knows what to do when they fail. It is like installing an alarm system without connecting the siren.
The common pitfall: publishing a DMARC record with p=none and never moving beyond that. p=none means "observe, but don't block anything." It is a starting point, not a protection. ANSSI (France's national cybersecurity agency) recommends reaching p=reject for effective protection (ANSSI, IT hygiene guide, recommendation 26).
The real state of adoption
The adoption numbers for DMARC among SMBs are alarming. According to a Proofpoint study published in September 2024, 80% of CAC 40 companies have a DMARC record, but only 24% are set to reject (Proofpoint, "DMARC adoption among top French companies", 2024). If the largest French corporations are in that position, the situation for SMBs is logically worse.
Globally, the Sendmarc 2024 report indicates that 85% of phishing emails come from domains without DMARC in enforce mode (quarantine or reject). The Agari 2023 report shows that 73% of analyzed domains have no DMARC policy at all or are set to p=none.
For SMBs with 10 to 500 employees, the picture is straightforward: the vast majority have no DMARC in reject mode. The reasons are always the same: lack of awareness about the protocol, fear of blocking legitimate emails, and no in-house technical expertise.
The concrete result: anyone can send an email displaying your company's address. Your customers, suppliers and banks will receive that email with no automatic way to tell it did not come from you.
Free SPF DKIM DMARC audit. Test your domain's email security in 10 seconds. The tool checks each protocol and gives you an action plan.
Why this matters for SMBs
CEO fraud (BEC)
An attacker sends an email to your company's CFO. The email displays the CEO's address. It requests an urgent wire transfer to a new bank account. The CFO checks the sender address - it matches the CEO's. The transfer goes through.
CEO fraud is the most expensive form of email attack. The FBI IC3 reported 21,489 BEC complaints in 2023, with total losses of $2.9 billion (FBI, Internet Crime Report 2023). In France, law enforcement handles hundreds of cases every year, with an estimated median loss of 150,000 euros per successful attack on an SMB (source: CESIN 2024 report, OCLCTIC (France's central anti-cybercrime unit) investigations).
With DMARC set to reject, the fake CEO email would never have reached the CFO's inbox. The mail server would have verified that the sending server is not authorized for the CEO's domain and rejected the email before delivery.
Phishing your customers and suppliers
An attacker sends an email to your customers, impersonating your company. "Your invoice is ready - click here to view it." The link leads to a page that captures the customer's credentials or installs malware.
Your customers cannot tell this email apart from a real one. The sender address is correct. Technical checks (when they exist) pass because your domain has no DMARC in reject mode.
The consequences go beyond the immediate financial loss: loss of trust from your customers, damage to your business reputation, and legal risk if personal data is compromised through an email sent from your domain (GDPR, Article 32: obligation to ensure security of processing).
Degraded deliverability
If spammers use your domain to send spam - which is trivial without DMARC - your domain's reputation deteriorates with email providers. Gmail, Microsoft 365, Yahoo: all of them maintain a reputation score per domain.
It is a vicious cycle: your domain is used for spam, your reputation drops, your legitimate emails get filtered, your sales team complains that quotes never arrive, and you cannot figure out why.
The Return Path 2023 report indicates that a domain with a poor reputation sees up to 20% of its legitimate emails land in spam. For an SMB whose business runs on email, the revenue impact is direct.
What well-protected companies do
Companies with DMARC in reject mode share three characteristics:
1. They know every email flow
Before activating DMARC, they inventoried every service that sends emails on their behalf: primary email (Google Workspace, Microsoft 365, OVH), CRM (HubSpot, Salesforce, Pipedrive), newsletter (Mailchimp, Brevo, Sendinblue), invoicing (Pennylane, QuickBooks), support (Zendesk, Freshdesk), electronic signature (DocuSign, Yousign).
Without this inventory, turning on DMARC in reject mode risks blocking legitimate emails. That is why you always start with p=none.
2. They ramped up gradually
None of them went straight from zero to reject. The standard path follows three stages:
-
p=none(2 to 4 weeks): DMARC is published but blocks nothing. DMARC reports (rua address) let you see which servers send emails for your domain and which ones pass or fail authentication. -
p=quarantine(2 to 4 weeks): Emails that fail authentication are sent to spam. This is when you verify that your DMARC reports no longer show false positives. -
p=reject(permanent): Unauthenticated emails are rejected. Your domain is protected.
Aggregate DMARC reports (sent daily by Gmail, Yahoo, Microsoft and other email providers) let you verify that everything works at each stage. Free tools like Postmark DMARC Weekly Digests or built-in Google Workspace features make them easy to read.
3. They maintain the configuration
A new email service (switching CRM, adding a support tool) means a new include in SPF and a new DKIM signature to configure. Well-protected companies have an internal process: when a tool that sends email is added, the authentication records get updated.
The email security test should be run after every tool change, and at least once per quarter.
Step-by-step guide. If you want to configure SPF, DKIM and DMARC on your domain, follow our SMB configuration guide. Hands-on examples for OVH, Google Workspace and Microsoft 365.
The excuses that keep coming up
"We're just a small business - nobody is going to spoof our domain."
Domain spoofing is automated. Attackers do not hand-pick their targets. They scan millions of domains, identify those without DMARC in enforce mode, and use them to send spam and phishing. Your size does not matter. Your lack of protection does.
The CESIN 2024 report shows that SMBs with 50 to 250 employees are the most frequent target of email attacks in France, ahead of large corporations. The reason: they have enough financial resources to make the attack profitable, but rarely a dedicated security team.
"Our hosting provider takes care of it."
Your hosting provider may configure a default SPF. But DKIM and DMARC are your responsibility. And even the default SPF only covers the host's email service, not your other tools (newsletter, CRM, invoicing).
Check for yourself. The email security test shows exactly what is configured and what is missing.
"We have an anti-spam solution - that's enough."
Anti-spam protects your inboxes from malicious incoming emails. SPF, DKIM and DMARC protect your domain from outbound spoofing. These are two different protections, and they are complementary.
Anti-spam stops your employees from receiving phishing. DMARC stops an attacker from sending phishing while pretending to be you. Both are necessary.
"DMARC is going to block our emails."
Not if you follow the right sequence. Start with p=none to observe. Read the reports. Add any missing sources to your SPF. Move to quarantine, then reject. It is a process that takes a few weeks, not a binary switch.
The full configuration (SPF + DKIM + DMARC reject) takes between 30 minutes and 1 hour for an SMB with a single email provider, plus 4 to 8 weeks of gradual ramp-up for DMARC reports.
What Google and Yahoo have required since February 2024
Since February 2024, Google and Yahoo have tightened their requirements for email senders. These rules are not optional: failing to comply means your emails get rejected outright or sent to spam.
For all senders:
- SPF or DKIM required
- Valid reverse DNS record (PTR)
- Spam complaint rate below 0.3% (Gmail reports)
For senders of more than 5,000 emails per day:
- SPF and DKIM both required
- DMARC at least
p=none - Domain alignment in the From header
- One-click unsubscribe link (List-Unsubscribe)
Many SMBs discovered these requirements when their newsletters suddenly stopped reaching inboxes. The problem was not the sending platform (Brevo, Mailchimp, etc.) but the sender domain's authentication.
BIMI: the brand logo as visual proof
BIMI (Brand Indicators for Message Identification) is a newer protocol that displays your company's logo next to your emails in the recipient's inbox (Gmail, Yahoo, Apple Mail).
BIMI requires DMARC in p=quarantine or p=reject mode as a prerequisite. This is one more business case for moving to DMARC reject: your emails become visually identifiable, which strengthens recipient trust and reduces the risk of someone mistaking a fraudulent email for a real one.
Key figures
| Indicator | Value | Source |
|---|---|---|
| Global BEC losses in 2023 | $2.9 billion | FBI IC3, Internet Crime Report 2023 |
| BEC complaints filed in 2023 | 21,489 | FBI IC3, 2023 |
| Cyberattacks starting with an email | 91% | Verizon DBIR, 2024 |
| Phishing emails from domains without DMARC enforce | 85% | Sendmarc, 2024 |
| CAC 40 companies with DMARC reject | 24% | Proofpoint, September 2024 |
| Cybermalveillance.gouv.fr assistance requests in 2024 | 280,000+ | Cybermalveillance.gouv.fr, 2024 report |
| Median BEC loss per French SMB | ~150,000 euros | CESIN / OCLCTIC, 2024 |
The test takes 10 seconds
Here is what you can do right now, in under a minute:
- Test your domain's email security with our free tool - instant SPF, DKIM, DMARC and BIMI audit
- Share the result with your IT provider or technical lead
- Follow the configuration guide to fix what is missing
The technical layer is the foundation. But even with SPF, DKIM and DMARC set to reject, 91% of cyberattacks start with an email that filters let through (Verizon DBIR, 2024), because the email comes from a legitimate third-party domain, a compromised account, or a hijacked cloud service.
Technical protection stops spoofing of your domain. Training your teams stops the click on the phishing email that gets through anyway.
nophi.sh covers both. Realistic phishing simulations, automated micro-training, NIS2 compliance reports. Try it free.
Further reading
- Guide: configure SPF, DKIM and DMARC for your SMB
- Email header analyzer - check authentication results on a received email
- Trace the origin of a suspicious email using headers
- ANSSI IT hygiene guide - recommendation 26 on email authentication
- Google sender requirements 2024