How Easy Is It to Impersonate Your Business?
Let’s imagine somebody wanted to impersonate your business.
Without the correct protections in place, they may be able to send an email that appears to come from your domain.
They don’t need to hack your Microsoft 365 account.
They don’t need to compromise your laptop.
They simply send an email pretending to be you.
And to the person receiving it, it can look completely legitimate.
That’s exactly the type of fraud SPF, DKIM and DMARC were designed to prevent.
One of the most common misunderstandings we come across is this:
“We’ve got email… so we must be secure.”
In reality, that’s often not the case.
Most email systems will happily send and receive messages—but that doesn’t mean they’re protected from impersonation. And that’s where problems start.
So what are SPF, DKIM and DMARC—and why do they matter?
Start With the Real Risk
Before we get into the acronyms, it’s worth understanding the problem they’re solving.
Most email-related fraud doesn’t look suspicious.
And in many cases, it appears to come from a genuine email address.
That’s because it’s not always about hacking systems. It’s about impersonation, timing, and pressure.
SPF – Where Your Email Is Allowed to Come From
SPF stands for Sender Policy Framework.
That sounds technical—but the idea is simple.
Think of SPF like an approved supplier list for your email.
You’re publishing a record that says:
“These are the systems allowed to send email on behalf of our business.”
So if an email claims to come from your business—but didn’t come from one of those approved systems—it gets flagged.
If it’s not on the list, we stop.
DKIM – Proving the Email Hasn’t Been Changed
DKIM stands for DomainKeys Identified Mail.
Think of it as a digital seal on your email.
When an email is sent, it’s signed. When it’s received, that signature is checked.
If anything has been changed—even slightly—the seal breaks.
No seal = something’s been tampered with.
DMARC – Deciding What Happens When Things Go Wrong
DMARC is what ties everything together.
“What do we do if something doesn’t look right?”
With DMARC, you can:
In simple terms:
Why This Matters in the Real World
We regularly show businesses examples where everything looks right at first glance.
The name is correct.
The signature is correct.
The wording feels normal.
But the domain is slightly altered—sometimes just one character.
That’s incredibly difficult to spot when you’re busy.
This isn’t about people being careless.
It’s about people being busy and trying to do their job.
This Isn’t About Blaming Staff
Fraud works because people are:
Your job as a business owner isn’t to ask people to be more suspicious—it’s to put systems in place that protect them.
It’s the First Line of Defence
SPF, DKIM and DMARC aren’t optional extras. They’re the basics.
They stop bad emails getting through in the first place, before your team ever has to make a judgement call.
Final Thoughts
Email is where most invoice fraud starts.
If your email security isn’t doing its job, everything else is already under pressure.
SPF, DKIM and DMARC give you that first layer of protection.
At Affirm IT, we take a practical approach to email security. We don’t start with jargon—we start with simple questions:
From there, we put the right foundations in place so your email works the way it should.
If you’re not sure where you stand today, don’t hesitate to
get in touch with us.
“
