Broken DMARC, SPF & DKIM: How Your Own Email Domain Becomes the Attack Vector
Your email domain can be turned against you. How broken SPF, DKIM, and DMARC let attackers spoof you with no malware — and why 'p=none' is an open invitation.

Most small businesses buy "cybersecurity" the way they buy IT support: someone patches machines, answers tickets, and keeps email flowing. That's an MSP's world. But security is a different job with a different failure mode. When IT fails, you miss a meeting. When security fails, you can lose payroll, customer data, operations, and reputation — often in a single weekend.
This isn't an "MSPs are bad" post. Many are great at IT. This is about the moment an MSP crosses the line into "security provider" without the people, process, and hands-on-keyboard capability to back it up — and SMBs pay the price.
Security tools are necessary, not sufficient. If a "security program" is EDR installed, firewall in place, email filtering on, a compliance checklist completed, and a monthly PDF report — but nobody can hunt, triage, contain, investigate, and eradicate like it's their day job — then what you have is tool coverage, not security. Attackers already assume you have tools; modern intrusions are built around getting in anyway and moving quietly until impact is unavoidable. Per Verizon's 2025 DBIR, ransomware is heavily skewed toward smaller organizations. The question isn't "do you own EDR?" It's "can you run EDR like an incident responder when it matters?"
When you outsource IT, you often grant privileged access across your environment — RMM, remote access, admin accounts, backups, M365 tenants. That access is valuable, and attackers know it. Verizon's DBIR shows third-party involvement in breaches doubling from 15% to 30% year over year. NSA and CISA have warned that malicious actors target MSPs and pivot into customer environments, especially where privileged access is involved. If your MSP sells "cybersecurity," you're also inheriting their operational maturity — or lack of it.
Certifications show exposure to concepts. But many failures happen because teams can talk about security without executing it. Real incidents look like an impossible login that "could be travel," a suspicious PowerShell chain that "might be admin tooling," a mailbox rule quietly forwarding invoices out, a backup job that "succeeds" while attackers stage encryption, and a helpdesk tech approving MFA prompts because the CEO is yelling. Sophos' State of Ransomware 2025 found 63% of victims cited a lack of people or skills as a factor. Security is an operator problem.
A true operator with red-team depth asks: how would I break in here specifically? What would I do after access? Where would I hide and persist? Which logs catch me, which don't? What's the fastest path to business impact? Modern ransomware is rarely "spray and pray" — it's access + privilege + lateral movement + domain control + exfiltration + encryption. If your provider can't see and stop that chain early, the tools become expensive spectators.
MSPs keep businesses running — that's valuable. But cybersecurity is not "IT with extra licenses." It's a specialized operations function requiring practiced responders, adversary-aware engineering, real-time decisions under pressure, and continuous validation. When an MSP sells fear and a pile of tools without operators behind it, SMBs don't get safer — they get more confident right up until impact. In 2026, the winning strategy isn't "buy more tools." It's "buy fewer illusions."
Want a provider that can actually operate security under attack? We're not a generalist MSP. Ask us for a sanitized incident timeline, our MTTR, and who's on call at 2am.