A change to how email security works has just come into effect. If you own a business domain, here is what you need to know.
What is DMARC, and why should I care?
DMARC is a behind-the-scenes email security standard. You have probably never had to think about it, but it has been quietly protecting your business domain from being impersonated by fraudsters and making sure your emails land in the inbox rather than the spam folder.
Think of it like a passport control system for your emails. When you send an email from your business, DMARC tells the recipient’s email provider: “this message is genuinely from us, and here’s what to do if it isn’t.” Without it, anyone can fake an email that looks like it came from your company.
What Does This Update Mean For My Business?
In simple terms: the rulebook that governs how DMARC works has been updated for the first time since 2015. Some old settings have been retired and replaced with cleaner ones. The way DMARC works day to day has not changed.
But before worrying about the update, there is a more important question every business owner should ask first: does my domain actually have DMARC set up at all, and is it configured correctly?
Having an IT provider does not automatically mean your DMARC is in order. Many businesses have IT support for their computers and staff, but their domain is sitting with a web agency or hosting provider with nobody actively maintaining the security settings.
There are really three situations you could be in:
This is more common than most people realise. It means your domain has no protection against being spoofed. Anyone could send emails pretending to be your business. This needs to be set up from scratch
The record exists, but it is either now non-compliant with the new standard or is not actively enforcing any protection. The sooner this is updated and properly configured, the better protected your business will be.
You are in good shape. You just need to confirm the recent update has been applied, and your emails and domain are protected.
What Happens If I Ignore This?
If your DMARC record is out of date after 15 June and you are self-managed, you may start to see:
- Emails landing in spam folders rather than inboxes
- Delayed or rejected messages, particularly to Gmail, Outlook, and Yahoo addresses
- A weaker defence against someone spoofing your domain to send fraudulent emails
For most businesses, email is mission-critical. A broken DMARC record is a quiet problem. You might not even notice it until clients start asking why they are not hearing from you.
Why Email Authentication Matters More Than Ever
Google, Microsoft, and Yahoo have all tightened their email rules significantly over the past two years. They now require businesses sending more than 5,000 emails a day to have DMARC, SPF, and DKIM all properly configured or risk permanent delivery failures. These standards exist because email fraud and phishing are still the number one entry point for cyberattacks on businesses.
Worth knowing: PCI DSS v4.0, the compliance standard for any business that processes card payments, now formally requires DMARC as part of its anti-phishing rules. If that applies to you, this is not optional.
What Lucidica recommends
- Check whether your DMARC record is managed by your IT provider or set up directly in your DNS.
- If self-managed, update your record before 15 June to remove retired tags and align with the new standard.
- If you are not sure, reach out to us. A DMARC health check takes minutes and removes any uncertainty.
- Consider moving to a hosted DMARC solution so future updates like this are handled automatically without you having to think about it.
Not sure if your email setup is ready for the 15 June update?
We can check your DMARC record and flag anything that needs attention. No technical knowledge needed on your end.
