DMARC for NZ small business in 30 minutes

If you have a domain (yourbusiness.co.nz) and email runs through Microsoft 365 or Google Workspace, attackers can almost certainly send email pretending to be you right now. The fix takes about thirty minutes and is free. It is called DMARC.

This is the no-jargon setup for the typical NZ small business: a registered domain, Microsoft 365 for email, no in-house IT.

What DMARC actually does

Three records on your DNS, working together, that tell the world's mail servers two things:

Which servers are allowed to send mail as you.
What to do with anything that fails the check (let through, mark as spam, or reject).

Without DMARC, anybody can send accounts@yourbusiness.co.nz to your customers asking them to change bank account details. The mail will look real, will pass most basic filters, and the recipient has no easy way to tell. With DMARC on enforcement mode, the same mail bounces.

NZ Inland Revenue, NZ Police and NZ banks have all flagged this as a top vector for the BEC (business email compromise) frauds that cost SMEs an average of $30,000 a pop.

The three records

You will add three DNS records at your registrar. SPF, DKIM and DMARC.

1. SPF (Sender Policy Framework)

Tells the world which servers can send for you. For a pure Microsoft 365 setup, the record is:

v=spf1 include:spf.protection.outlook.com -all

The -all at the end means "anything not in this list, reject". Some guides tell you to use ~all (soft fail), do not. Soft fail is the same as no fail in practice. Hard fail or no SPF at all.

If you also send from another service (a CRM, a job-management tool, Mailchimp, Xero), each one needs its own include: added. Most have an SPF setup page in their admin. Examples:

Xero: include:_spf.xero.com
Mailchimp: include:servers.mcsv.net
SendGrid: include:sendgrid.net

You combine them: v=spf1 include:spf.protection.outlook.com include:_spf.xero.com -all

Maximum 10 lookups in one SPF record (a hard DNS limit). If you have more services than that, you need an SPF flattening service, but most NZ small businesses are nowhere near the limit.

2. DKIM (DomainKeys Identified Mail)

Signs every outgoing mail with a cryptographic signature so the receiver can verify it really came from you. In Microsoft 365 you enable DKIM in the Defender portal: Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM. Click your domain, click Enable.

It will tell you to add two CNAME records first. Add them at your registrar (or wherever your DNS lives), wait a few minutes for propagation, then come back and click Enable.

3. DMARC (the policy)

The record that ties SPF and DKIM together and tells receivers what to do with failures. Start gentle:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbusiness.co.nz; ruf=mailto:dmarc-reports@yourbusiness.co.nz; fo=1; pct=100

p=none means "monitor only, do not block anything yet". Crucial for the first month.
rua=mailto: tells receivers where to send daily aggregate reports.
pct=100 means "apply the policy to 100% of mail".

Create the dmarc-reports@ mailbox first (or forward to your normal inbox).

Add this as a TXT record at hostname _dmarc (so the full record is _dmarc.yourbusiness.co.nz).

The 30-day monitoring period

For the first month, leave DMARC at p=none and read the daily reports. These are XML, readable but a pain. Use a free aggregator like DMARC Report or Postmark's free DMARC monitoring, paste in your email, get a weekly summary. You are looking for two things:

Legitimate mail being sent from services you forgot about (add to SPF / DKIM).
Attackers actually trying to spoof you.

Once a fortnight has gone by clean, ramp up.

Moving to enforcement

After ~30 days of clean monitoring, switch:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourbusiness.co.nz; pct=100

p=quarantine means "anything failing goes to the recipient's spam folder". Live for another month, watch the reports, then move to the strongest setting:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourbusiness.co.nz; pct=100

p=reject means "anything failing the check is bounced before it reaches the recipient". This is the goal state. It is what stops your customers receiving an invoice from a fake accounts@yourbusiness.co.nz.

What it costs

Nothing in dollars. About 30 minutes for the initial setup, plus an hour over the next two months to read the reports and tighten the policy. The Postmark and DMARC Report free tiers cover a small business indefinitely.

What can go wrong

The single biggest source of pain is forgetting a service that legitimately sends as you. Common offenders:

Your accountant sending you reports via Xero or your practice tool
The Acuity / Calendly booking confirmations
The marketing emails through Mailchimp / Brevo / Campaign Monitor
The form-submission emails through your website host (Vercel, Web3Forms etc.)

The 30-day p=none monitoring catches all of these. If you go straight to p=reject without monitoring first, you will probably break something. Do not skip the monitoring.

A few things people get wrong

They use SPF only. SPF alone breaks the moment any mail is forwarded, the forwarding server's IP is not in your SPF record, so it fails. You need DMARC with DKIM signing for forwarding to survive.
They never move past p=none. Monitoring without enforcement is monitoring without enforcement. Attackers still spoof you successfully. Get to p=reject.
They use a free gmail.com or xtra.co.nz address for business email. None of this works for a free address, you do not own the domain. If you are running a business off a free email, the first IT job is moving to your own domain on Microsoft 365 or Google Workspace.

If you want it sorted in an afternoon

We run security audits that include the full SPF / DKIM / DMARC setup for a typical NZ SME, plus the 30-day monitoring window and the move to enforcement. Fixed price, usually $1,500 to $3,000 depending on how many sending services you have. Or read the whole thing above and do it yourself, that is the point of writing it down.