By Jordan Polasek · July 18, 2026

Most phishing attacks that land in your inbox aren't sophisticated. They're cheap, automated, and rely on one thing: your email system letting a stranger pretend to be someone you trust. The good news is that closing that door doesn't take a big budget or a new platform. It takes about 10 minutes and one DNS record. We at BVTech walk Austin business owners through this fix constantly, and the payoff is wildly out of proportion to the effort.

Why spoofed emails get through in the first place

When someone sends an email claiming to be from your domain — say, an "invoice" from your own accounting address or a "wire request" from the owner — your mail system has to decide whether to trust it. By default, many domains give no clear instructions on who's allowed to send mail on their behalf. So the impersonation sails right through.

Three email authentication standards fix this: SPF, DKIM, and DMARC. Think of them as the guest list, the signature, and the bouncer. Most small businesses have one or two of these half-configured and DMARC missing entirely. That gap is exactly what attackers count on.

The 10-minute quick win: turn on DMARC

If SPF and DKIM are your credentials, DMARC is the policy that tells receiving servers what to do when an email fails those checks. Without it, a failing message often gets delivered anyway. With it, you decide the outcome.

Here's the fast version of the change:

  1. Confirm SPF exists. Check your DNS for a TXT record starting with v=spf1. Microsoft 365 and Google Workspace both publish the correct values in their admin help pages.
  2. Confirm DKIM is enabled. In Microsoft 365 or Google Workspace admin, turn on DKIM signing for your domain if it isn't already. It's a checkbox and a couple of DNS entries.
  3. Add a starter DMARC record. Create a TXT record named _dmarc.yourdomain.com with a value like v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.

That p=none setting is intentional. It doesn't block anything yet — it just tells you who is sending mail as your domain, so you can see the problem before you enforce a rule. This is the safe way to start, and it takes minutes.

Don't stop at "none" — but don't rush past it either

DMARC in monitoring mode is a gift: for a couple of weeks, those reports show you every service sending email on your behalf. Your CRM, your invoicing tool, your marketing platform — all of it. Once you've confirmed the legitimate senders are properly authenticated, you tighten the policy.

The progression looks like this:

The mistake we see most often is jumping straight to reject and accidentally blocking your own newsletter or scheduling tool. Move deliberately. The 10-minute change gets you started safely; the follow-through over a few weeks gets you protected.

Your quick-win checklist

Why this small change matters so much

Blocking domain spoofing removes the single most convincing form of phishing: an email that appears to come from your own company. When an attacker can't impersonate your CEO or your billing department, their odds of tricking an employee into a wire transfer or password reset drop sharply. It also protects your reputation — spoofed emails sent to your customers make you look responsible for the fraud.

This is the kind of foundational cybersecurity that gets overlooked because it isn't flashy. There's no dashboard to admire, no alert popping up. But it quietly shuts down a huge category of attacks, which is exactly why it belongs at the top of every small business's list.

Email authentication is one of the highest-return moves in all of small-business security, and it's a natural fit inside a broader managed IT services plan that keeps these records monitored and enforced as your tools change. If you'd like us to audit your SPF, DKIM, and DMARC setup — or take email security off your plate entirely — reach out to the BVTech team at bvtech.org/contact. We help Austin businesses close this gap every week, and we'd be glad to help you close yours.