Your employer signed you up for a game show. You didn't audition.
If your employer hasn't deployed DMARC, you're a contestant in a game show you never signed up for. What's at stake, and how to get yourself off the list.
Somewhere in a server room that has nothing to do with your employer, a person you have never met is preparing tonight’s episode of Will They Fall For It? You are the star. You did not audition. You are not being paid. Your employer, who could have cancelled the show at any point by publishing a three-line DNS record, has decided to keep the format running indefinitely.
This is what it looks like when a company skips DMARC.
What the show’s format actually is
DMARC is a DNS record. Your IT team publishes it on your company’s domain. It tells receiving mail servers what to do when someone tries to send email that claims to be from your domain but was not actually sent by your mail infrastructure.
Three settings. The IT world has somehow spent fifteen years debating these three settings. p=none means log it, do nothing. p=quarantine means send it to spam. p=reject means block it at the receiving server before it ever reaches an inbox.
A domain with no DMARC record, or one sitting at p=none, has published a standing invitation. Anyone with a mail server can send a message that looks exactly like it came from your CFO, your IT manager, or you personally. The receiving server checks, finds nothing prohibiting it, and delivers the message. That is the show’s format. Your employer built the set. Contestants apply daily.
How an episode runs
Tuesday. Three-fifteen. You are behind on email, still thinking about the meeting that ran long, and a message arrives from your CFO.
Right from-address. Right signature block. The subject line reads: “Urgent: please action before close of business.”
A short note: a supplier is holding stock at the port. They need payment before 16:30 or the shipment goes back. R847,000. The CFO is in a board meeting and cannot be disturbed. Please confirm by reply.
The tone matches. The amount is large but not absurd. You ping the CFO on Teams. No response, which the email predicted. You do not want to be the person who held up an emergency because you were too cautious to act.
You authorise the transfer.
At 17:30, the actual CFO calls.
Here is what the show’s producers will not mention in the credits: DMARC at p=reject means that email never arrives. Not “gets flagged as suspicious.” Not “lands in spam where maybe someone checks.” The receiving server rejects it before it touches your inbox, before you have to make a judgement call at speed, before R847,000 leaves the building. The attack is not harder. It is not possible. You cannot film an episode with no contestants.
Checking whether you’re on the cast list
You can find out in thirty seconds. Check your domain on TamingDNS.com and it will tell you whether your domain is protected.
No record at all means the domain has published nothing and any server anywhere can impersonate it. p=none means a record technically exists but carries no enforcement. For practical purposes it is identical to nothing. p=quarantine sends failing mail to spam, which is better, though plenty of people check their spam folders. p=reject means your employer has actually cancelled the show.
If your result comes back anything other than p=reject, you are still in the running.
Getting yourself off the cast list
You cannot fix this yourself. DMARC lives in DNS, controlled by IT or whoever manages the domain. Your job is to make sure the right people know, once, with enough context that they can act on it.
Screenshot the DNS result. Forward it to your IT lead or line manager with a single sentence: “Saw this. Looks like our DMARC is at p=none. Worth checking?” One screenshot, one sentence, stop there.
This approach works because it is a fact, not an opinion. It reaches the people who can do something about it. It creates a record that you raised it. And it does not make the IT team feel accused of negligence, which is the fastest way to ensure the issue sits in an inbox for six months while new episodes keep airing.
If your IT team is small and stretched, OSH handles DMARC end-to-end: audit, sender inventory, phased ramp to p=reject, then managed reporting. Passing that link along with your screenshot saves them research time and gives them a path forward rather than just a problem to feel bad about.
While you wait for the show to be cancelled
A few things reduce your risk in the meantime.
Confirm any urgent payment request by phone before acting, regardless of how senior the sender appears to be. Phone, not Teams, not a reply email. Phone. A real CFO would rather take thirty seconds out of a board meeting than explain to the auditors why R847,000 is gone.
Check the from-address on anything unusual, character by character. Lookalike domains (think yourcompany-za.co.za instead of yourcompany.co.za) bypass DMARC entirely because they are different domains. Your eyes are the only defence there, and that is an uncomfortable amount of responsibility to carry into a busy Tuesday afternoon.
If you handle payment approvals, propose a written callback policy with your manager: anything above a threshold requires verbal confirmation, no exceptions and no overrides for urgency. Get it in writing. That document matters later.
Forward this if the result was bad
If your DMARC check came back p=none or blank, forward this article to your IT lead. The screenshot plus this link gives them enough context to start the conversation.
You shouldn’t be the last line of defence against a spoofed email from your own CFO. That’s not a reasonable ask. Authentication exists so this call doesn’t land on you at 15:15 on a Tuesday, under deadline, when you’re already behind on three other things.
Cancel the show.
