DMARC, DKIM and SPF
Audit and Configuration
Your domain's three email authentication records — audited, configured correctly, and verified in DNS. A targeted engagement for organisations that need email authentication without the full email security solution.
Three DNS records stand between your domain and anyone who wants to impersonate your firm.
SPF, DKIM, and DMARC are the three email authentication standards that protect your domain from being used by attackers to send fraudulent email in your firm's name. Together they form a chain: SPF controls who is allowed to send email from your domain, DKIM proves that email from your domain has not been tampered with in transit, and DMARC tells receiving mail servers what to do with email that fails both checks.
Without all three records correctly configured and enforced, an attacker can send a convincing email to your clients, suppliers, or staff claiming to be from your domain — with no technical indicator visible to the recipient that the email is fraudulent. This is the foundation of domain spoofing, which underlies supplier impersonation fraud, conveyancing fraud, and CEO impersonation attacks.
This engagement audits your current DNS records for all three standards, identifies every gap and misconfiguration, and implements correct records — progressing DMARC from monitoring mode to an enforced policy appropriate to your mail flow.
Sender Policy Framework
Publishes a list of every server and service authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks whether the sending server is on this list. An absent or incomplete SPF record means unauthorised servers can send email from your domain without any technical warning to the recipient.
Most common gap: incomplete — legitimate platforms such as Microsoft 365, CRM systems, and marketing tools are not all included, causing legitimate email to be rejected.
DomainKeys Identified Mail
Adds a cryptographic signature to outbound email that allows receiving servers to verify that the email genuinely came from your domain and has not been altered in transit. Without DKIM signing, email from your domain can be intercepted and modified without detection — a prerequisite for certain man-in-the-middle attacks against professional services firms.
Most common gap: absent for Exchange Online, or not configured for authorised third-party sending platforms such as marketing tools and practice management software.
Domain-based Message Authentication, Reporting and Conformance
Instructs receiving mail servers what to do with email that fails SPF and DKIM checks — monitor only, quarantine, or reject. A DMARC policy set to reject means that email failing authentication is blocked before delivery. Without an enforced DMARC policy, even with SPF and DKIM in place, spoofed email can still reach recipients. DMARC also enables aggregate reporting — a daily feed of every server attempting to send email from your domain.
Most common gap: set to monitor mode only (p=none), providing reporting but no enforcement — email that fails authentication is still delivered.
Four steps. Correct records in DNS. Mail flow verified.
This is a bounded, one-time engagement. No ongoing management. No email security solution. Just the three authentication records, correctly configured and verified.
Audit of Current Records
Review of your existing SPF, DKIM, and DMARC DNS records — identifying gaps, errors, incomplete sender lists, and policy weaknesses. Identification of all legitimate sending platforms that must be included in the SPF record, including Exchange Online and any authorised third-party platforms.
SPF Configuration
Configuration of a correct and complete SPF record incorporating all identified legitimate sending sources, within the ten DNS lookup limit. Where existing SPF records exceed the lookup limit — a common cause of SPF failures — the record is restructured to comply.
DKIM Configuration
DKIM signing configured for Exchange Online. Where technically feasible, DKIM signing configured for additional authorised sending platforms identified during the audit. Where a platform does not support custom DKIM signing, this is noted in the Configuration Document.
DMARC Configuration and Enforcement
DMARC record configured with aggregate reporting directed to a monitored address. Policy progressed from monitoring mode to quarantine or reject enforcement, appropriate to your mail flow. Where a phased approach to full enforcement is required — typically where mail flow complexity requires monitoring before enforcement — a phasing plan is included in the Configuration Document.
DNS Publication and Verification
All three records published in DNS. Mail flow verified following publication to confirm that legitimate email is passing authentication and that no legitimate sending platform has been inadvertently excluded from the SPF record.
Configuration Document
Email Authentication Configuration Document delivered in PDF on completion — confirming audit findings, all records implemented with exact values, DMARC enforcement level applied, phasing plan where applicable, and verification of correct DNS publication.
Three records live in DNS. One document confirming it.
Completion is the point at which all three records are correctly published and Konve IT has verified that legitimate mail flow is unaffected. The Configuration Document follows on the same day.
Email Authentication Configuration Document
Delivered in PDF on completion. Confirms the audit findings for the existing records; all legitimate sending sources identified and how they are authorised in the SPF record; the exact values of the SPF, DKIM, and DMARC DNS records implemented; the DMARC enforcement level and phasing plan where applicable; and verification of correct DNS publication and mail flow.
Enforced DMARC Policy
Not monitoring mode. Not a partial configuration. DMARC progressed to an enforced quarantine or reject policy appropriate to your mail flow — so that email failing authentication is blocked, not just flagged. Where a phased approach is required, the policy is set to the highest enforceable level at the time of completion, with a documented phasing plan for progression to full enforcement.
Verified Mail Flow
Konve IT verifies that all legitimate sending platforms are passing SPF and DKIM authentication before closing the engagement. If any legitimate platform is failing authentication following record publication, Konve IT investigates and resolves the issue within seven working days at no additional charge.
Organisations that need email authentication without a full email security solution.
This is a standalone engagement. It does not include Mimecast or Proofpoint. It is specifically for organisations that want email authentication configured correctly and enforced — either as a starting point before a full email security deployment, or as the only email security change they need to make.
Your domain has no DMARC policy or a monitoring-only policy, and clients have received spoofed emails claiming to be from your firm.
Domain spoofing attacks on your clients are the most damaging reputational consequence of absent email authentication. Once a client receives a convincing fraudulent email from what appears to be your domain, trust is damaged regardless of whether they were deceived. Enforced DMARC stops those emails from being delivered.
A Cyber Essentials assessment has identified SPF, DKIM, or DMARC as gaps that need to be addressed before certification.
Email authentication is assessed under the Cyber Essentials user access control and secure configuration controls. Where a gap assessment identifies these records as missing or misconfigured, this engagement closes those specific gaps without requiring a full tenant remediation or email security deployment.
Your legitimate email is being marked as spam or rejected by recipients because your SPF record is incomplete or incorrectly configured.
An incomplete SPF record — one that does not include all platforms authorised to send email on your behalf — causes legitimate email to fail SPF checks and be marked as spam or rejected. This is a common problem for organisations that have added marketing tools, CRM systems, or practice management software without updating their SPF record. This engagement fixes it.
You want email authentication in place before deploying a full email security solution.
SPF, DKIM, and DMARC are a prerequisite for getting the maximum value from Mimecast or Proofpoint. Where a full email security deployment is planned but not yet ready to proceed — pending budget, pending decision, or pending another engagement — this standalone configuration ensures authentication is in place in the interim. The work is not duplicated when the full deployment proceeds.
This is email authentication only. Advanced email security is a separate engagement.
- Deployment of Mimecast, Proofpoint, or any email security solution
- AI-powered inbound filtering, impersonation detection, or attachment sandboxing
- Ongoing DMARC monitoring or policy management
- Configuration for additional domains beyond those confirmed in the SoW
- DKIM configuration for platforms that do not support custom DKIM signing
- Any follow-on work arising after completion — subject to a separate engagement
One flat fee. No per-user component.
Email authentication configuration does not scale with user count. The work is the same whether you have five users or fifty — audit the records, identify the sending sources, configure and publish, verify mail flow.
DMARC, DKIM and SPF Audit and Configuration
- Audit of existing SPF, DKIM, and DMARC DNS records — identifying gaps, errors, incomplete sender lists, and policy weaknesses
- SPF record configured to include all legitimate sending sources within the ten DNS lookup limit
- DKIM signing configured for Exchange Online and authorised third-party platforms where technically feasible
- DMARC policy configured and progressed to quarantine or reject enforcement, with aggregate reporting configured
- DNS publication and mail flow verification — legitimate email confirmed passing authentication before the engagement closes
- Email Authentication Configuration Document in PDF — exact record values, enforcement level, and phasing plan where applicable
Three steps. Records live within days.
This is a fast engagement. The questionnaire is short, the Statement of Work is straightforward, and the configuration is typically complete within three to five working days of commencement, subject to DNS access being available.
Complete the onboarding form
Download and complete the Konve IT Client Onboarding Form. Captures your organisation details, contacts, and primary email domain.
Complete the service questionnaire
Download and complete the Email Security Questionnaire, selecting the DMARC, DKIM and SPF Audit variant. Captures your current record status, DNS management platform, access arrangements, all authorised sending platforms, and any additional domains in scope.
Review and sign the Statement of Work
Konve IT issues a Statement of Work within two working days. On signature and payment of the £450 + VAT fee, the audit and configuration commences. DNS changes are typically implemented within 24 hours of Konve IT providing the required records.