← Back to blog
Security

DMARC, DKIM and SPF: why SME emails without this setup are increasingly rejected

By Zarioh Digital Solutions4 min read· Updated
Share
DMARC, DKIM and SPF: why SME emails without this setup are increasingly rejected

Gmail, Yahoo and Microsoft have tightened email authentication rules over the past two years. What used to be nice-to-have is now a hard requirement. What are SPF, DKIM and DMARC, why are your emails landing in spam, and which steps do you take now?

More and more SMEs are suddenly getting reports that their emails are not arriving. Customers ask whether something is wrong with their mail, suppliers stop responding. The recipients are receiving the messages, but in the spam folder, or not at all. The cause is almost always the same: the sending domain has no, or incorrect, authentication setup. In 2026, this is no longer a fringe issue.

Since February 2024, Gmail and Yahoo have imposed strict requirements on anyone sending more than five thousand emails per day, with strong recommendations for lower volumes. Microsoft followed suit in early 2025, and since late 2025 lower sending volumes are actively scrutinised too. The result is that unprotected domains increasingly land in a grey zone where messages quietly disappear.

What are SPF, DKIM and DMARC?

They are three separate technical standards that together prove that an email really comes from your domain and not from someone impersonating you. They are configured in your domain's DNS zone.

SPF (Sender Policy Framework) is a list of servers allowed to send mail on behalf of your domain. A receiving mail server checks whether the sending server is on that list. If it is not, something looks suspicious.

DKIM (DomainKeys Identified Mail) is a digital signature. The sending server signs every message with a private key, and the recipient verifies that signature via the public key in your DNS. If the signature does not match, the email was modified in transit or is fake.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy that tells the recipient what to do when SPF or DKIM fails. You can set failing mail to not be delivered, to land in spam, or only to be reported.

Why does this matter so much more now?

Three reasons. First, the explosion of AI-generated phishing in 2024 and 2025. Attackers can send convincing emails pretending to be your bank, your supplier, or your colleague. Receiving mail servers therefore only trust domains that can hard-prove they are legitimate.

Second, marketplace pressure. Cyber insurers have required active DMARC enforcement in many policies since 2025. Tenders and large business clients ask for it in their procurement conditions.

Third, silent enforcement. Microsoft, Google and large spam filters increasingly downgrade domains without DMARC. You get no notification; you only notice when customers start complaining.

What do you see when your domain is not configured properly?

The symptoms are recognisable. Emails to @gmail.com and @hotmail.com land in spam. Customers say they receive nothing while Outlook shows Sent. Marketing emails from your newsletter system do not arrive. Responses to meeting invites disappear. Important quotes are noticed too late.

To clients and partners your business looks unreliable, even though you are not. To you it is invisible until someone calls.

How do you set it up?

Three steps, in this order. SPF first, then DKIM, then DMARC.

Step 1: SPF. Inventory which services send mail on behalf of your domain. Microsoft 365, possibly a newsletter service, a CRM, an accounting package emailing invoices. Combine all includes into a single SPF record in DNS. For a pure Microsoft 365 domain that is often just `v=spf1 include:spf.protection.outlook.com -all`. Important: one SPF record per domain, not multiple.

Step 2: DKIM. For Microsoft 365, activate DKIM in the Defender portal under Email and collaboration. Microsoft generates two CNAME records to place in DNS, after which you enable signing. For other mail sources, that service supplies its own DKIM instructions.

Step 3: DMARC. Start with monitoring. Place a DMARC record with policy `p=none` and an rua reporting address. Collect reports for one to two weeks so you know which sending sources operate on behalf of your domain. Then gradually raise to `p=quarantine` and eventually `p=reject`.

What does it cost and how much work is it?

For a simple SME domain with Microsoft 365 and one or two external mail services, initial setup is half a day of work. The DNS changes themselves are quick; discovering all sources that send mail takes the most time. DMARC report analysis is easier with a free or low-cost dashboard such as dmarcian, Postmark or EasyDMARC.

What is the priority?

For every SME that sends business mail, this is no longer a project that can wait. Start this month with inventory and SPF, activate DKIM in M365, place a DMARC record in monitoring mode and plan a check after two weeks. Waiting means that in a few months you will not know why customers stopped responding.

Want help setting up SPF, DKIM and DMARC for your domain, or analysing reports? Zarioh helps SME organisations with focused email authentication implementation and monitoring. Contact us for a no-obligation conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share