Get Started
Email Authentication
field note · Email Authentication

DMARC: Why Your Small Business Email Is a Literal Open Window for Arsonists

Small business email without DMARC is a wide-open window any arsonist can climb through. Here's what the spoof looks like to your customer and how to close it.

Paul Ogier · founder 08 May 2026 4 min read

TL;DR

If your business hasn’t deployed DMARC, anyone on the internet can send mail that looks exactly like it came from you. The receiving inbox sees you@yourcompany.co.za, not a spoofer. DMARC is the lock on the window. Here’s what happens when you leave it off.

What a spoof looks like to your customer

Your biggest client gets an email at 14:47 on a Thursday. From: accounts@yourcompany.co.za. Your logo. Your director’s signature block, scraped from a previous email thread. New banking details. Pay by Friday.

Your client pays. R150,000. Into an account drained inside 40 minutes. Then they phone to thank you for the prompt invoice.

Not a clumsy fake. A pixel-clean impersonation that arrives without a warning sign, because the from-address is, technically, yours. The receiving server saw yourcompany.co.za and waved it through.

The arsonist didn’t break in. The arsonist walked through.

Why small businesses are the easy mark

Big banks have run p=reject for years. A spoofed @standardbank.co.za message bounces before it reaches anyone. The big names are the hard mark.

SMBs are the easy mark. Most SA small businesses we audit sit at p=none or have no DMARC record at all. Receivers deliver spoofs of your domain because your policy says nothing should stop them.

A spoofer who checks your LinkedIn and “Our Clients” page knows exactly who pays you, what your invoice numbers look like, and which name signs your quotes. The targeting is cheap; the close rate is high.

The three records, briefly

SPF publishes a list of IP addresses allowed to send mail for your domain. Pass or fail.

DKIM is a cryptographic stamp the sending server applies. The receiver verifies it against a key in your DNS.

DMARC ties them together and tells the receiver what to do when both fail:

  • p=none: do nothing, send me reports. (No protection.)
  • p=quarantine: drop failing mail into spam.
  • p=reject: bounce failing mail at SMTP. The recipient never sees it.

At p=none, you get reports but no protection. The lock is hanging on the latch.

How DMARC closes the window

At p=reject, when someone tries to send as you@yourcompany.co.za from an unauthorised server, the receiving provider rejects it at the SMTP layer. Gmail, Outlook.com, and M365 (covering roughly 90% of targeted inboxes) all honour p=reject. The message never lands.

CEO-fraud variants become much harder to run. You also get reports: the RUA feed shows every IP that tried to send as your domain in the last 24 hours.

DMARC removes the cheapest, highest-volume attack on your brand from the attacker’s menu. It doesn’t stop a determined burglar with a glass cutter. It stops the person walking past with a half-formed idea.

Three common objections

“It looks complicated.” For most small businesses, DMARC is a single TXT record plus a few admin console clicks. If you run M365 or Google Workspace with one or two marketing tools, you’re not dealing with an enterprise estate.

“I’m scared it will break my mail.” The four-phase ramp (p=nonep=quarantine pct=10pct=100p=reject) exists so you find and fix every legitimate sender before enforcement kicks in. The horror stories are organisations that skipped the ramp.

“I don’t know what to do with the reports.” Use a managed reporting service or a self-serve tool. Letting reports pile up unread is the wrong answer.

What “do nothing” actually costs

A Cape Town engineering firm in 2024: biggest customer paid a R150,000 spoofed invoice into an attacker-controlled account. Recovery took three months, R40,000 in legal costs, and the firm covering R75,000 of the loss to preserve the relationship.

Cyber-insurance underwriters now ask what your p= is set to. p=none reads as no protection, and premiums have risen accordingly. The “do nothing” option hides the bill until the bill is overdue.

Where to go next

The bouncer’s guide to DMARC covers the mechanics. Our services are for when you want a human to look at your domain and tell you what to fix.

Don’t leave the domain at p=none. That’s the one outcome that helps no-one but the arsonist.

More in this series: DMARC

  1. DMARC: Why Your Small Business Email Is a Literal Open Window for Arsonists (Current)
  2. The Small Business DMARC Bridge: From p=none to p=reject in Four Weeks
  3. Reading Microsoft 365 and Google Workspace Email Headers Like a Pro
  4. The Bouncer's Guide to DMARC: Securing Your Email Domain
  5. What Does p=reject Actually Mean (And When Should You Set It)?
  6. How to Check If Your Suppliers and Clients Are DMARC Compliant
  7. Your employer signed you up for a game show. You didn't audition.
  8. Cyber Insurance and DMARC: What Underwriters Actually Want to See
// filed under email authentication back to field notes
keep reading

More field notes

all posts →
// email authentication
// email authentication 4 min

The Small Business DMARC Bridge: From p=none to p=reject in Four Weeks

May 2026 Read →
// email authentication
// email authentication 4 min

How to Check If Your Suppliers and Clients Are DMARC Compliant

May 2026 Read →
// email authentication 6 min

The Bouncer's Guide to DMARC: Securing Your Email Domain

May 2026 Read →

Ready to migrate?

Whether you need a full M365 migration plan or a security audit, our team is ready to architect your cloud future.

Email us directly support@osh.co.za