DMARC Email Trust Baseline (SPF / DKIM / DMARC)
A plain-English checklist and rollout outline to improve email trust, reduce spoofing, and make domain protection easier to manage for NZ SMEs.
Security Email Trust DMARC SPF DKIM
What this solves
Email spoofing, weak domain trust, finance/payment fraud exposure, and uncertainty around whether your email domain is protected properly.
1) Fast checks (do first)
| Check | What good looks like | Status / notes |
|---|
| SPF published | Your domain publishes one valid SPF record and it includes only the senders you actually use. | |
| DKIM enabled | Outbound mail is signed for your main business platform(s). | |
| DMARC record published | A valid DMARC policy exists, even if it begins at monitor/report-only stage. | |
| Mail providers understood | You know all platforms sending mail as your domain. | |
| Reporting owner set | DMARC reports have a monitored mailbox or service owner. | |
2) Recommended rollout path
- Inventory senders: list every platform that sends email as your domain.
- Publish / verify SPF: remove obsolete senders and keep the record tidy.
- Enable DKIM: switch signing on for Microsoft 365 and any other major platforms.
- Publish DMARC in monitor mode: start with
p=none and collect reports.
- Review failures: identify legitimate senders that are not aligned and fix them.
- Tighten policy: move gradually from monitor to quarantine/reject when evidence supports it.
3) Questions to ask your IT person / MSP
| Question | Why it matters |
|---|
| What systems send mail as our domain? | Miss one and DMARC rollout becomes noisy or breaks legitimate mail. |
| Are SPF and DKIM aligned for Microsoft 365 and website forms? | Alignment is what makes DMARC meaningful. |
| Who is reviewing DMARC reports? | Reports are only useful if someone owns them. |
| What is our target policy and by when? | You need a path from monitoring to stronger protection. |
4) Minimum baseline outcome
- SPF published and tidy
- DKIM enabled for main sending systems
- DMARC record live
- Reporting owner assigned
- A path to stronger enforcement agreed
5) Common gotchas
- Multiple marketing / webform tools sending as the same domain without being documented.
- Old SPF includes left behind after platform changes.
- DMARC published with no one reviewing reports.
- Trying to jump straight to reject before sender inventory is complete.
Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.
👉 Free 30-minute consultation
No hard sell - just clarity and practical next steps.
hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)
Book now