Get Started
Email Authentication
field note · Email Authentication

How to Check If Your Suppliers and Clients Are DMARC Compliant

Your suppliers' weak DMARC posture turns into your fraud problem. Here is how to check any supplier or client domain in 30 seconds and what to do next.

Paul Ogier · founder 08 May 2026 4 min read

TL;DR

A supplier with weak DMARC is a fraud channel pointed at your finance team. Anyone can spoof their domain, send a fake invoice with swapped banking details, and you pay it. Checking a supplier takes 30 seconds. This article covers what to look for and how to raise it without sounding preachy.

Why their posture is your problem

Take a real supplier sitting at p=none. An attacker spoofs their domain. They know your accounts clerk’s name, what the invoices look like, the rough cadence. One email from accounts@supplier.co.za with swapped banking details and a believable PDF. Your clerk sees a familiar sender and pays it. The fraud surfaces three weeks later when the actual supplier asks where their money is.

Business email compromise via spoofed supplier domains tops reported cybercrime losses year after year. You can’t fix their DNS. But you can know which ones are exposed.

How to check any domain

DNS lookup at _dmarc.theirdomain.co.za: read the p= tag. Or use any free online DMARC checker that scans SPF, DKIM, DMARC, MX, and blacklists in a single pass. Screenshot the result. File it in your risk register. Done.

What good posture looks like

Policy at p=quarantine or p=reject. Anything else is decoration. p=none tells receivers to deliver everything, even authentication failures. A record reading v=DMARC1; p=reject; rua=mailto:reports@something.com; sp=reject; adkim=s; aspf=s; means they’ve done the work.

A working SPF record under the 10-lookup limit. Past 10, receivers return PermError and DMARC treats every message as failed, including the supplier’s own legitimate mail.

A real rua= address pointing to a sensible domain means somebody is reading the reports. The signal that the deployment is alive, not a record published two years ago and forgotten.

What bad posture looks like

No DMARC record at all. Anyone can send as them. Still unfortunately common.

p=none with no active reporting. The record does nothing. Someone in their org will still tell you “we have DMARC” with a straight face.

A broken SPF lookup chain. A supplier who added M365, Google Workspace, Mailchimp, SendGrid, and a payroll vendor may now need 14 lookups. Past 10, receivers return PermError and treat everything as failed, including the supplier’s own mail.

Weak or absent DKIM. 1024-bit keys in 2026 means their email config hasn’t been touched since roughly 2017.

pct=10 left in place permanently. At p=reject; pct=10;, 90% of failing mail still delivers. Reads strict, behaves loose.

What to do if a critical supplier is non-compliant

  1. Flag it in your risk register. Date, policy found, screenshot.
  2. Send a short note. Template below. Frame it as shared fraud risk.
  3. Offer to help. An introduction to your IT team goes further than a list of demands.
  4. If they’re mission-critical and ignore you: raise it at the next quarterly business review. A procurement contact moves faster than an IT contact.
  5. If they’re not mission-critical: verify any banking-change request out-of-band. Phone call to a known number, not one in the email.

Sample email template

Subject: Quick note about your domain’s email authentication

Hi [Name],

Doing a quick supplier security review and your domain came up with a finding I wanted to flag, more for your benefit than ours.

Your DMARC policy is currently p=none (or: there is no DMARC record). In practice, anyone can send email pretending to be from @yourdomain.co.za and most receivers will deliver it. Spoofed invoices and fake banking-change requests are the usual play.

No action needed from you on our side; I just thought you’d want to know. If your IT team wants a longer conversation about the fix, happy to make an introduction.

Best, [You]

Make this routine

Quarterly checks catch the regression: the supplier who was at p=reject and slipped back to p=none because someone changed DNS providers and forgot to copy the record.

OSH offers a managed supplier-risk sweep: 20 to 50 domains, checked monthly, with a single-page report flagging changes. The supplier you stop trusting blindly is the one whose fake invoice you won’t pay.

More in this series: DMARC

  1. DMARC: Why Your Small Business Email Is a Literal Open Window for Arsonists
  2. The Small Business DMARC Bridge: From p=none to p=reject in Four Weeks
  3. Reading Microsoft 365 and Google Workspace Email Headers Like a Pro
  4. The Bouncer's Guide to DMARC: Securing Your Email Domain
  5. What Does p=reject Actually Mean (And When Should You Set It)?
  6. How to Check If Your Suppliers and Clients Are DMARC Compliant (Current)
  7. Your employer signed you up for a game show. You didn't audition.
  8. Cyber Insurance and DMARC: What Underwriters Actually Want to See
// filed under email authentication back to field notes
keep reading

More field notes

all posts →
// email authentication
// email authentication 4 min

DMARC: Why Your Small Business Email Is a Literal Open Window for Arsonists

May 2026 Read →
// email authentication 6 min

The Bouncer's Guide to DMARC: Securing Your Email Domain

May 2026 Read →
// email authentication
// email authentication 7 min

What Does p=reject Actually Mean (And When Should You Set It)?

May 2026 Read →

Ready to migrate?

Whether you need a full M365 migration plan or a security audit, our team is ready to architect your cloud future.

Email us directly support@osh.co.za