Broken DMARC, SPF & DKIM: How Your Own Email Domain Becomes the Attack Vector
By Paul Nieto IIIFeb 12, 20268 min read
Here's the uncomfortable truth most SMBs never get told: your email domain can be turned against you if DMARC, SPF, and DKIM aren't configured correctly. Not hypothetically — actively.
In February 2026, Microsoft Exchange Online began flagging legitimate business emails as phishing and quarantining them. To be clear about the cause: this was a Microsoft-side filter bug — a newly deployed URL-detection rule that overcorrected and mistakenly tagged safe links as malicious, quarantining legitimate mail regardless of the sender's authentication. It was the filter working too aggressively, not a DMARC alignment failure.
But it's a preview of where every provider is heading: aggressive enforcement. And when providers get aggressive, the domains with weak DMARC, SPF, and DKIM are the first ones swept up in the dragnet — alongside the spoofed mail they should be catching. Sysadmins watching that incident even noted that senders lacking DMARC were among the patterns most likely to get quarantined.
Why SMBs are hit harder than enterprises
SMBs rely on email heavily and defend it lightly. The realities we see every week: no dedicated email or security engineer, DNS records set once and never revisited, DMARC left in monitoring mode indefinitely, and blind trust in "Microsoft defaults." Industry data is blunt: most cyberattacks begin with email, DMARC enforcement adoption remains low globally, and SMBs are disproportionately hit by Business Email Compromise — one of the highest-loss attack types, often with no malware involved. This isn't a phishing-awareness issue. It's a domain-trust failure.
How misconfigured records create real risk
SPF (Sender Policy Framework)
SPF answers one question: who is allowed to send on behalf of your domain? Risk rises when SPF is overly permissive (~all instead of -all), bloated with unmanaged third-party includes, or broken by exceeding the 10-DNS-lookup limit. Result: attackers spoof your domain and still pass basic checks.
DKIM (DomainKeys Identified Mail)
DKIM cryptographically signs messages so recipients can verify integrity. Risk rises when not all outbound systems sign with DKIM, keys are weak or expired, or forwarding and relays break signatures. Result: inbox providers lose trust in your messages.
DMARC
DMARC is the enforcement layer — it tells providers what to do when SPF or DKIM fails. Common SMB failure points: p=none left in place permanently, no reporting visibility (rua), and alignment failures causing false positives. When signals don't align, providers act conservatively: legitimate emails get quarantined, while consistent-looking malicious mail may still land. That inconsistency is where attackers thrive.
How attackers abuse this
From an offensive viewpoint the playbook is simple: enumerate domains with DMARC set to p=none, review SPF for weak includes or soft fails, clone branding and sender patterns, send high-trust lures (invoices, wire changes, login notices), and let inbox providers do the social engineering. No exploit chains, no zero-days — just DNS misconfiguration.
What SMBs should do now
Move DMARC to p=reject after validation.
Tighten SPF to only authorized senders.
Ensure DKIM signs all outbound email.
Actively review DMARC aggregate reports.
Test delivery behavior, not just DNS syntax.
This is foundational security, not advanced maturity.
Built by hackers, not suits
We look at email the way attackers do — we don't just validate records, we simulate real spoofing attempts, analyze DMARC telemetry like threat intelligence, fix deliverability without breaking workflows, and translate email risk into business impact. If your DMARC policy is still set to none, attackers have already noticed. The only variable left is timing.
Is your email authentication actually protecting you? We analyze your DMARC telemetry like threat intel, fix deliverability without breaking workflows, and simulate real spoofing.