Email Authentication (SPF, DKIM, DMARC) for Sydney Business

Key facts

• SPF, DKIM, and DMARC are three DNS records that together verify the sender of an email and let receiving mail servers reject forgeries.
• Gmail and Yahoo made these records mandatory for bulk senders in February 2024, and Microsoft began enforcing them for Outlook.com, Hotmail, and Live from 5 May 2025.
• The threshold for the strictest rules is 5,000 messages a day to those providers, but Microsoft, Google, and Yahoo all recommend every sender have the records in place.
• A DMARC policy of at least p=none, aligned with SPF or DKIM, is the minimum to pass; p=quarantine or p=reject is what actually blocks spoofed mail.
• Misconfigured authentication is a common cause of legitimate email going to spam, so it affects deliverability as much as security.
• 4iT configures SPF, DKIM, and DMARC, then moves the policy to enforcement once reporting confirms nothing legitimate will break.

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are three separate checks that a receiving mail server runs to decide whether an email is genuine. SPF (Sender Policy Framework) lists which servers are allowed to send mail for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature so the receiver can confirm the message was not altered and came from you. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties the two together, tells receivers what to do when a message fails, and sends you reports on who is sending mail in your name. You need all three working in alignment, not just one.

Why does every Sydney business need DMARC now?

DMARC moved from best practice to a practical requirement in 2024 and 2025. Gmail and Yahoo began requiring SPF, DKIM, and DMARC for bulk senders in February 2024, and Microsoft started enforcing the same for its consumer Outlook, Hotmail, and Live domains from 5 May 2025, rejecting non-compliant mail outright. The strict rules target senders pushing more than 5,000 messages a day, but the practical effect is broader: if your authentication is weak or missing, your invoices, quotes, and newsletters are the ones that quietly land in spam. The security benefit is the bigger prize. Without an enforced DMARC policy, anyone can send email that looks like it came from your domain, which is exactly how fake invoice and supplier scams start.

How does 4iT set up email authentication?

We start by finding every legitimate source of email for your domain, because the fastest way to break a business is to publish a strict policy that blocks your own accounting software or marketing platform. We map your Microsoft 365 tenant, any third-party senders, and your DNS, then publish correct SPF and DKIM records and a DMARC record at p=none so reporting starts flowing. We watch the DMARC reports, fix any legitimate sender that is not aligned, and only then move the policy to quarantine and finally reject. This is the safe path to full protection, and it is the part most businesses get wrong when they try it alone. It pairs naturally with the rest of your email and spam protection and wider cyber security.

How much does email authentication setup cost?

For most Sydney SMEs the initial setup is a short project rather than an ongoing cost. We scope it against the number of sending sources and your DNS setup, charged at our IT consulting rate of AU$165 per hour ex GST, with the typical single-domain configuration completed in a few hours. Where a business wants the DMARC reports monitored over time, which is sensible while moving from p=none to reject and for catching new spoofing attempts, we offer that as a small monthly managed service. We will give you a fixed estimate before any work starts.