SPF, DKIM, DMARC: The Email Security Trio Your Accounting Firm Needs

Accounting firms are the single most targeted sector for Business Email Compromise (BEC) — a fraud where attackers send emails that appear to come from a legitimate firm to redirect payments or extract financial data.

The reason accounting firms are targeted is simple: they communicate regularly with clients about money. An email from “your accountant” asking to update a bank account for an upcoming transfer is believable. And if your email domain isn’t properly configured, that email can genuinely appear to come from your address.

Three DNS records exist specifically to prevent this: SPF, DKIM, and DMARC.

SPF — Who Is Allowed to Send Email on Your Behalf

Sender Policy Framework (SPF) is a DNS record that lists the servers authorised to send email using your domain name.

When an email arrives claiming to be from @yourfirm.pl, the receiving mail server checks your SPF record. If the sending server isn’t on the approved list, the email fails SPF.

What a basic SPF record looks like:

v=spf1 include:_spf.google.com ~all

The ~all at the end means “soft fail” — emails from unlisted servers are marked as suspicious but still delivered. Change it to -all for a hard fail (reject).

Check yours: In a terminal or online DNS lookup tool, query:

dig TXT yourdomain.pl

If you don’t see a v=spf1 record, you have no SPF protection.

DKIM — A Cryptographic Signature on Every Email

DomainKeys Identified Mail (DKIM) adds a digital signature to every email your server sends. The signature is verified against a public key published in your DNS.

This means that even if an attacker sends email from a server that somehow passes SPF, they cannot replicate the DKIM signature — because they don’t have your private key.

DKIM is typically enabled in your email platform settings (Google Workspace, Microsoft 365, or your hosting provider). Once enabled, your DNS gets a record like:

selector._domainkey.yourdomain.pl  TXT  v=DKIM1; k=rsa; p=MIGfMA0...

DMARC — What to Do When SPF or DKIM Fails

Domain-based Message Authentication, Reporting and Conformance (DMARC) is the policy record that tells receiving mail servers what to do when an email fails SPF or DKIM checks.

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.pl

The p= value controls what happens to failing emails:

• p=none — do nothing, just report (good starting point)
• p=quarantine — send to spam folder
• p=reject — block the email entirely

DMARC also sends you aggregate reports (rua=) showing who is sending email using your domain — including attackers. This is invaluable intelligence.

The Risk of Missing Records

A domain with no DMARC record (and many with only p=none) can be spoofed by anyone. Attackers sending emails from billing@yourfirm.pl will have those emails delivered to your clients’ inboxes with no spam warnings.

In our assessments, we find that over 70% of small accounting firms are missing at least one of these three records, and virtually none have DMARC set to reject.

How to Check Your Domain Right Now

1. Go to MXToolbox SPF Lookup and enter your domain
2. Go to MXToolbox DMARC Lookup and enter your domain
3. Check your email platform’s admin panel for DKIM status

If any of these fail or are missing, contact your IT provider or email platform support. All three records can typically be configured in under an hour.

---

Want to know if your firm’s email domain is spoofable right now? Our free pre-scan includes a full email security check — SPF, DKIM, DMARC, and lookalike domain analysis. No cost, results in 24 hours.