The threat is real and it's targeting small businesses
Business Email Compromise (BEC) — where attackers impersonate a company's email to trick clients, vendors, or employees — cost businesses over $2.9 billion in 2023 according to the FBI's Internet Crime Report. And small businesses are increasingly the target, precisely because they're assumed to have weaker defenses than large enterprises.
The attack doesn't require hacking your email server. An attacker just needs to send an email from your domain — which anyone can do if you haven't locked it down with authentication records.
Warning: If you haven't configured SPF, DKIM, and DMARC for your domain, someone can right now send an email that appears to come from your address — to your clients, your vendors, or your employees.
SPF, DKIM, and DMARC — what they actually do
These are DNS records — small pieces of text you add to your domain's settings. Together they form a chain of trust that tells the world which mail servers are authorized to send email on your behalf, and what to do when something doesn't check out.
| Record | What it does | Without it |
|---|---|---|
| SPF | Lists the mail servers authorized to send email from your domain | Any server can send email claiming to be from your domain |
| DKIM | Adds a cryptographic signature to outgoing emails that proves they haven't been tampered with | Emails can be modified in transit without detection |
| DMARC | Ties SPF and DKIM together and tells receiving mail servers what to do with emails that fail checks — monitor, quarantine, or reject | Even with SPF and DKIM, there's no enforcement policy and no visibility into abuse |
Why DMARC is the piece most businesses skip
SPF and DKIM are now fairly common — many hosting providers configure them by default. But DMARC is where most small businesses stop short, because it requires a decision about enforcement policy and an email address to receive reports.
Starting with DMARC in monitor mode (p=none) is the right approach — it sends you reports on who's sending email as your domain without blocking anything yet. Once you've reviewed the data and confirmed your legitimate mail sources are passing, you move to quarantine or reject.
Good news: If you're on Microsoft 365, all three records can be configured through your DNS provider and the M365 admin center. ByteNet can get this done in a single session.
Email security and deliverability are connected
This isn't just about blocking attackers — it directly affects whether your legitimate emails land in inboxes or spam folders. Gmail and Yahoo now require DMARC compliance for bulk senders, and increasingly treat emails from unauthenticated domains with suspicion even at lower volumes.
Getting your email authentication right means your proposals, invoices, and follow-ups actually get read instead of buried in junk.
What a proper email security setup looks like
For most small businesses running Microsoft 365, a complete email security configuration includes SPF, DKIM, and DMARC records in DNS, Microsoft Defender for Office 365 for anti-phishing and malicious link protection, and a process for reviewing DMARC aggregate reports monthly. The whole setup typically takes two to three hours and dramatically reduces both inbound threats and outbound impersonation risk.
Bottom line: Email authentication is one of the highest-impact, lowest-cost security improvements available to a small business. There's no good reason to delay it.