Your business email address can be spoofed without anyone hacking your account. An attacker can send an email that appears to come from your domain, your name, to your clients and suppliers. The email can ask clients to change payment details. It can contain malware. It can impersonate your company in a deal.
You will never see those emails. The replies go to the attacker.
This happens when your domain lacks the three DNS records that tell receiving mail servers to reject or flag spoofed emails. Those records are called SPF, DKIM, and DMARC. Checking whether your domain has them takes about three minutes. Fixing them, if they are missing, is a one-time configuration change.
Here is how to check and what to do with the results.
What email spoofing is and why it matters for Durban SMEs
Email spoofing is when someone sends an email using your domain name as the sender address, without having access to your mail server. They do not need to hack you. They do not need your password. They just need your domain name, which is the part after the @ in your email address.
When your domain has no authentication records in place, receiving mail servers have no way to verify that an email claiming to come from your domain actually did. It just passes through.
For a Durban SME, this means:
An attacker can email your clients claiming to be you. The email appears to come from your address. It might announce a bank detail change, ask for an urgent payment, or introduce a "new team member" who then collects information from your client.
An attacker can email your suppliers claiming to be you. Same principle.
You never receive responses to these emails, because replies go to an attacker-controlled address. You find out when a client calls to ask why you changed your banking details.
Business email compromise fraud enabled by domain spoofing costs South African businesses hundreds of millions of rand each year. Most of it is preventable.
The three DNS records that protect your domain
Think of your domain as having a public notice board where you post instructions for mail servers. The three records below are entries on that notice board.
SPF (Sender Policy Framework) lists the mail servers that are authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving mail server checks the SPF record. If the email came from a server not on the list, SPF instructs the receiver to treat it with suspicion.
DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. The signature is generated using a private key on your mail server and verified against a public key published in your DNS. If someone sends a fake email using your domain, the DKIM signature will not match, and the receiving server knows the email is not authentic.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication: quarantine it, reject it, or allow it through. DMARC also sends reports back to you showing how your domain is being used and where authentication is failing.
Without DMARC, even if you have SPF and DKIM in place, spoofed emails can still get through because there is no unified instruction to receiving servers about what to do with authentication failures.
How to run the Business Trust Check to see your domain's current status
Go to /business-trust-check.html. Enter your business domain name, which is the part after the @ in your email address. The tool will check whether your domain has valid SPF, DKIM, and DMARC records configured and show you the current status.
This takes about 60 seconds. No registration is required.
The results will show one of three statuses for each record: present and valid (green), present but incorrectly configured (yellow), or missing (red).
What a red or yellow result means and what to do next
Red on DMARC means your domain has no DMARC policy. Spoofed emails from your domain will pass through most mail servers without any quarantine or rejection action. This is the highest-risk configuration. Your domain can be used to send fraudulent emails to your clients and suppliers right now.
Red on SPF means your domain has no sender policy. Mail servers cannot distinguish between emails legitimately sent by you and emails sent by an attacker using your domain name.
Yellow on either typically means the record exists but is configured too loosely or incorrectly. A DMARC record with a policy of "none" tells receiving servers to monitor but not act on authentication failures. It is better than nothing, but it provides no actual protection.
Green on all three means your domain has the foundational email authentication layer in place. This does not guarantee your email cannot be spoofed in every scenario, but it closes the most common and damaging spoofing vector.
Why DMARC alignment matters for businesses that use third-party email senders
Many South African SMEs use third-party services to send email: bulk email marketing platforms, invoice software that sends PDF invoices by email, HR systems that generate automated emails, and booking systems. If those systems send email on behalf of your domain, they need to be authorised in your SPF record and DKIM configuration.
A DMARC policy set to "reject" will cause emails from unauthorised senders to be blocked, even if those senders are legitimate platforms you are paying for. Before you set DMARC to "reject," audit which platforms send email on behalf of your domain and ensure they are correctly authorised.
This is a one-time exercise. Done correctly, it takes about an hour with your hosting provider or IT support. It is something we assist with as part of a cybersecurity assessment.
How Ubuntu Guard can fix a failing domain configuration
If your domain check returns red or yellow results, the fix involves adding or updating DNS records. Most South African businesses have their domain registered with a local registrar such as AfriHost, Xneelo, HOSTAFRICA, or a similar provider. DNS changes are made through the registrar's control panel or through your IT support.
If you have in-house IT support, forward your Business Trust Check results to them. The records they need to add or correct are shown in the results.
If you do not have in-house IT support, we can do this for you as part of a cybersecurity assessment. The process is straightforward and the configuration, once in place, is low-maintenance.
Beyond domain authentication, a full assessment covers the other technical exposures that put your business at risk: unpatched systems, remote access vulnerabilities, backup gaps, and staff security awareness.
Check your domain now at /business-trust-check.html. If you want a full assessment, book one at /services/cybersecurity-assessment/.
The check is free. The fix is quick. The cost of not doing it can be measured in rand you cannot recover.
Reach us at [email protected].
Sources: - DMARC.org: Domain-based Message Authentication, Reporting and Conformance Overview (Accessed: 2026) - Google Workspace: DMARC Setup and Configuration Guide (Accessed: 2026) - Microsoft Defender: DMARC Implementation for Office 365 (Accessed: 2026)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa ubuntuguard.co.za