Is Your Company Email Easy to Spoof? SPF, DKIM & DMARC Explained
Here is an uncomfortable experiment: could someone send an email that appears to come from your company's own domain — to your customers, your suppliers, or your own accounting team? For a surprising number of small and mid-sized businesses in Toronto and the GTA, the answer is yes, because three DNS records that prevent it were never set up properly. Those records are called SPF, DKIM, and DMARC, and this guide explains them in plain English.
Why Spoofing Matters to a Small Business
Email spoofing is forging the 'From' address so a message looks like it came from someone it did not. Criminals use it for invoice fraud (a 'supplier' asks to update banking details), CEO fraud (the 'owner' asks a bookkeeper to send a wire), and phishing your customers under your brand. The damage lands on you twice: the direct fraud losses, and the hit to your reputation when customers get scammed by email that carried your name.
SPF: Who Is Allowed to Send for Your Domain
SPF (Sender Policy Framework) is a DNS record that lists which mail servers are allowed to send email on behalf of your domain — for example, Microsoft 365 and your newsletter platform. When a receiving server gets a message claiming to be from your domain, it checks whether the sending server is on your list. Common problems we see: no SPF record at all, records broken by a forgotten migration, or records that exceed the 10-DNS-lookup limit and silently fail.
DKIM: Proof the Message Wasn't Tampered With
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message you send. The receiving server checks the signature against a public key published in your DNS. A valid signature proves the message really came from your systems and was not altered in transit. Most email platforms, including Microsoft 365 and Google Workspace, support DKIM — but it usually has to be explicitly enabled and the DNS records added, which is where many setups stop halfway.
DMARC: The Policy That Makes the First Two Count
SPF and DKIM on their own only *check* mail — they do not tell receiving servers what to *do* when a message fails. That is DMARC's job. A DMARC record publishes your policy: monitor only (p=none), send failures to spam (p=quarantine), or reject them outright (p=reject). It also sends you reports about who is sending mail as your domain, which regularly surfaces both forgotten legitimate services and active abuse.
Without DMARC, or with a permanent p=none policy, spoofed mail can still land in inboxes even if SPF and DKIM are configured. The goal for most businesses is to move deliberately from monitoring to quarantine to reject, without breaking legitimate mail along the way.
It Also Affects Whether Your Own Email Gets Delivered
This is no longer just about security. Major mailbox providers, including Google and Yahoo, now require authenticated email — and DMARC for bulk senders — as a condition of delivery. Businesses with missing or broken SPF, DKIM, or DMARC increasingly find their legitimate quotes, invoices, and newsletters landing in spam. Fixing authentication is one of the rare projects that improves security and deliverability at the same time.
How to Check Where You Stand
You can look up your domain's SPF, DKIM, and DMARC records with free online DNS lookup tools. The pattern we most often find at new clients: an SPF record that no longer matches the services actually in use, DKIM enabled for the main platform but not for third-party senders like CRMs and invoicing tools, and either no DMARC record or one stuck at p=none with nobody reading the reports.
Getting It Fixed Without Breaking Your Email
The order of operations matters: inventory every service that legitimately sends as your domain, correct SPF, enable DKIM everywhere, publish DMARC in monitoring mode, review the reports, then tighten the policy step by step. Rushing straight to p=reject without the inventory step is how companies accidentally block their own invoices.
As part of our managed security services, IT Rapid Support configures and monitors email authentication for businesses across Toronto and the GTA — alongside the anti-phishing filtering, MFA, and user awareness training that address the attacks authentication alone cannot stop. Call (289) 582-9930 and we can tell you quickly whether your domain is protected or exposed.
Share this resource
Explore IT Rapid Support

IT Rapid Support Team
Managed IT & Cybersecurity, GTA
IT Rapid Support Team is a security expert with extensive experience in creating security guidelines.
More from this authorRelated Resources
How Much Does Managed IT Support Cost in Toronto? (2026 Guide)
A clear breakdown of managed IT support pricing models for Toronto and GTA businesses, what drives the cost, and how to compare providers.
Read moreManaged IT Services vs In-House IT: Which Is Right for Your GTA Business?
Compare managed IT services and an in-house IT team on cost, coverage, security, and scalability to decide what fits your Toronto-area business.
Read moreCybersecurity for Small Businesses in the GTA: A Practical Checklist
A plain-English cybersecurity checklist for small and mid-sized GTA businesses, covering the essential protections every company should have in place.
Read moreNeed Expert Security Advice?
Our team of cybersecurity experts is ready to help you secure your organization. Schedule a free consultation today.
Get in Touch