WHAT BUSINESSES NEED TO KNOW ABOUT EMAIL AUTHENTICATION

WRITTEN BY: THOMAS SIRON, FOUNDER, TECHSCEND

If you run a small business (which I’m sure you do if you’ve landed on the HoLT’s blog posts!) and send emails to customers, suppliers or even partners, there is an important change coming that will affect how your emails are delivered (or even if they’re delivered at all).

From May 2025, Microsoft will begin enforcing stricter rules on email authentication, including the requirement for a properly configured DMARC record.

DMARC is the protocol where you get a say in what happens to emails that fail their legitimacy checks. You can tell providers to allow it through as normal, send it to spam or to reject it altogether (enter the dreaded bounce back message!).

TLDR: DMARC helps protect your domain from impersonation and ensures that your real messages hit the inbox.

What Happens Without DMARC?

Without DMARC:

• Your domain is more vulnerable to phishing and impersonation attacks (people pretending to be you and/or your business),

• Email services may start to block or quarantine your messages (Some providers have signalled that they intend to block messages that do not have a valid DMARC policy in place within the year!),

• You will not have access to reporting data (we call this aggregate reports), which show who is sending emails from your domain (legitimately or otherwise).

Even if you are not a bulk sender, the consequences can be real.

Can your business afford for invoices to be bounced, quotes to be blocked, newsletter open rates to plummet and booking confirmations to be undelivered? All of these will affect your bottom line. 

Compliance and Best Practice

Proper Email Authentication is more than just a technical recommendation. It is backed by both industry regulation and national guidance.

The UK’s National Cyber Security Centre (NCSC) officially recommends that all businesses implement DMARC.Also, one thing that most small businesses do not know, if you accept card payments, PCI DSS v4.0 applies to you. This includes requirements for securing email communications. Email authentication plays a vital role in meeting those standards.

Why May 2025 Matters

From May 2025, Microsoft will begin enforcing email authentication across services like Outlook and Office 365. Emails without a valid SPF, DKIM and DMARC record may see deliverability issues (even if you are only sending a few emails a day!).

What You Should Do

The good news is that getting started with DMARC is easier than you might think.

Here is a simple step-by-step plan you can follow to get on the right side of Judge Dredd:

1. Understand email authentication and why it matters. Watch this quick animation that we put together, which explains SPF, DKIM and DMARC in a fun way – https://www.youtube.com/watch?v=dVdW2mMjaxw 

2. Check that SPF and DKIM are set up. You can use our free Email Scanner to see the current compliance status of your domain at – https://www.techscend.uk 

3. Amend or Add a DMARC record in ‘monitor’ mode. This allows you to receive the aggregate reports on your email activity, without affecting your deliverability.

4. Review your aggregate reports and tighten your policy. Make sure you’re confident that your setup is correct and move from a policy of ‘none’ to ‘quarantine’, and eventually, ‘reject’.

Final Thoughts

This shift in policy is not a change for just big businesses, it is the new normal for sending email in 2025 and beyond.

Email Authentication is no longer a ‘nice to have’, it’s a basic security control that protects your brand, improves email deliverability and supports compliance with regulations like PCI DSS, ISO 27001, Cyber Essentials and much more.

Even if Microsoft’s changes do not immediately impact your business, acting now puts you ahead of the curve, whilst ensuring that you do not have problems later.

Protect your inbox, your business, your customers, and your reputation.

READ MORE FROM our expert guests 👉