← back to blog
Managed Defense

Broken DMARC, SPF & DKIM: How Your Own Email Domain Becomes the Attack Vector

Hooded figure at laptop with DMARC, SPF, DKIM email authentication flow — domain spoofing risk

Here's the uncomfortable truth most SMBs never get told: your email domain can be turned against you if DMARC, SPF, and DKIM aren't configured correctly. Not hypothetically — actively.

In February 2026, Microsoft Exchange Online began flagging legitimate business emails as phishing and quarantining them. To be clear about the cause: this was a Microsoft-side filter bug — a newly deployed URL-detection rule that overcorrected and mistakenly tagged safe links as malicious, quarantining legitimate mail regardless of the sender's authentication. It was the filter working too aggressively, not a DMARC alignment failure.

But it's a preview of where every provider is heading: aggressive enforcement. And when providers get aggressive, the domains with weak DMARC, SPF, and DKIM are the first ones swept up in the dragnet — alongside the spoofed mail they should be catching. Sysadmins watching that incident even noted that senders lacking DMARC were among the patterns most likely to get quarantined.

Why SMBs are hit harder than enterprises

SMBs rely on email heavily and defend it lightly. The realities we see every week: no dedicated email or security engineer, DNS records set once and never revisited, DMARC left in monitoring mode indefinitely, and blind trust in "Microsoft defaults." Industry data is blunt: most cyberattacks begin with email, DMARC enforcement adoption remains low globally, and SMBs are disproportionately hit by Business Email Compromise — one of the highest-loss attack types, often with no malware involved. This isn't a phishing-awareness issue. It's a domain-trust failure.

How misconfigured records create real risk

SPF (Sender Policy Framework)

SPF answers one question: who is allowed to send on behalf of your domain? Risk rises when SPF is overly permissive (~all instead of -all), bloated with unmanaged third-party includes, or broken by exceeding the 10-DNS-lookup limit. Result: attackers spoof your domain and still pass basic checks.

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs messages so recipients can verify integrity. Risk rises when not all outbound systems sign with DKIM, keys are weak or expired, or forwarding and relays break signatures. Result: inbox providers lose trust in your messages.

DMARC

DMARC is the enforcement layer — it tells providers what to do when SPF or DKIM fails. Common SMB failure points: p=none left in place permanently, no reporting visibility (rua), and alignment failures causing false positives. When signals don't align, providers act conservatively: legitimate emails get quarantined, while consistent-looking malicious mail may still land. That inconsistency is where attackers thrive.

How attackers abuse this

From an offensive viewpoint the playbook is simple: enumerate domains with DMARC set to p=none, review SPF for weak includes or soft fails, clone branding and sender patterns, send high-trust lures (invoices, wire changes, login notices), and let inbox providers do the social engineering. No exploit chains, no zero-days — just DNS misconfiguration.

What SMBs should do now

  • Move DMARC to p=reject after validation.
  • Tighten SPF to only authorized senders.
  • Ensure DKIM signs all outbound email.
  • Actively review DMARC aggregate reports.
  • Test delivery behavior, not just DNS syntax.

This is foundational security, not advanced maturity.

Built by hackers, not suits

We look at email the way attackers do — we don't just validate records, we simulate real spoofing attempts, analyze DMARC telemetry like threat intelligence, fix deliverability without breaking workflows, and translate email risk into business impact. If your DMARC policy is still set to none, attackers have already noticed. The only variable left is timing.

Is your email authentication actually protecting you? We analyze your DMARC telemetry like threat intel, fix deliverability without breaking workflows, and simulate real spoofing.

References & further reading

  1. BleepingComputer — Microsoft: Exchange Online flags legitimate emails as phishing (Feb 2026).
  2. FBI Internet Crime Complaint Center (IC3) — Annual Internet Crime Report (BEC losses).
  3. Verizon — 2025 Data Breach Investigations Report.
  4. Google & Microsoft — email authentication best practices (DMARC, SPF, DKIM).
$ ./read_next
SMB Advisory

The Mid-Market Meltdown: Why SMBs Are the Real Battleground

The real cyber war isn't at the Fortune 500 — it's in the under-resourced mid-market. Why your attack surface is everything you and your vendors touch, and how to defend the full threat lifecycle.