Here is a question every South African business owner should be able to answer. Can a criminal send an email that looks like it came from your company's domain, to your clients, asking them to pay an invoice into a different bank account?
If your answer is "I don't know," you need to find out today. The test takes five minutes. The fix takes thirty.
Email spoofing is the technique that fuels business email compromise (BEC). The attacker does not need to hack into your inbox. They forge the "From" address on an email so it appears to come from you, your CEO, or your finance team. The recipient sees a familiar name and email address, trusts it, and follows the instructions. Usually those instructions are to pay an invoice into an attacker-controlled account.
Three email security records, called SPF, DKIM, and DMARC, stop this. The bad news is that a startling number of South African SMEs have not set them up.
The five-minute test: check your email security now
You do not need technical skills for this. Use any of these free tools.
MXToolbox. Go to mxtoolbox.com/emailhealth and type in your domain (for example, yourcompany.co.za). It checks your SPF, DKIM, and DMARC records and tells you what is missing.
DMARC Analyzer. Go to dmarcanalyzer.com/dmarc/dmarc-record-check and enter your domain. It reports whether you have a DMARC record and whether it is configured correctly.
Mail-Tester. Send an email from your business address to the unique address shown at mail-tester.com. You will get a score out of 10 and a list of any authentication issues.
If any of these tools shows that your SPF, DKIM, or DMARC records are missing or weak, your email can be spoofed. Keep reading.
If you would prefer a guided walkthrough, we built a free domain security check guide that takes you through the whole process.
What SPF, DKIM, and DMARC does
Think of sending a business email as sending a physical letter. SPF, DKIM, and DMARC are three different ways of proving that the letter legit came from your office, not from someone pretending to be you.
SPF (Sender Policy Framework) is a list of authorised couriers. It tells the world which email servers are allowed to send email on behalf of your domain. If a message claiming to be from you arrives from a server not on the list, the receiving system knows something is wrong.
DKIM (DomainKeys Identified Mail) is a wax seal. It adds a digital signature to every email you send, proving it has not been tampered with in transit. The receiving server checks this signature against a public key published in your DNS records.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy that ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication. Deliver it anyway. Send it to spam. Reject it outright. Without DMARC, even properly configured SPF and DKIM are advisory. The receiving server has no instruction for what to do when something fails.
You need all three. SPF alone is not enough. DKIM alone is not enough. DMARC is the policy that makes them work together.
How to set them up
You need access to your domain's DNS settings. This is managed through your domain registrar (Afrihost, Hetzner, 1-grid, or wherever you registered your .co.za) or through your hosting provider's control panel.
If you are not comfortable editing DNS, ask your IT person or hosting provider. Show them this article. The changes themselves are straightforward, but a mistake in DNS can affect email delivery, so it is worth being careful.
SPF
An SPF record is a TXT record in your DNS that lists the servers authorised to send email for your domain.
Google Workspace: v=spf1 include:_spf.google.com ~all
Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
Both, plus Mailchimp: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
The ~all at the end means emails from unauthorised servers should be treated as suspicious (soft fail). Once you have confirmed everything works, you can change this to -all (hard fail) for stricter enforcement.
DKIM
DKIM setup depends on your email provider. Google Workspace and Microsoft 365 both generate the DKIM keys for you. You publish them in your DNS.
In Google Workspace, go to admin.google.com, navigate to "Apps" then "Google Workspace" then "Gmail" then "Authenticate email." Google gives you a TXT record to add to your DNS.
In Microsoft 365, go to the Microsoft 365 Defender portal, navigate to "Email & Collaboration" then "Policies & Rules" then "Threat policies" then "DKIM." Select your domain and follow the instructions to publish the CNAME records.
DMARC
Once SPF and DKIM are in place, add a DMARC record. Start with a monitoring-only policy so you can see what is happening before you start rejecting anything.
Add a TXT record for _dmarc.yourdomain.co.za with the value: v=DMARC1; p=none; rua=mailto:[email protected]
This tells receiving servers to send you reports about authentication results without rejecting any emails. Monitor those reports for a few weeks. Make sure legitimate email is passing. Once you are confident, change the policy to p=quarantine (sends failures to spam) and eventually p=reject (blocks failures entirely).
What happens if you do not set these up
Without SPF, DKIM, and DMARC, anyone in the world can send an email that looks like it came from your domain. That means a criminal can email your clients with an invoice that has their own banking details, pretending to be your finance team. They can send phishing emails to your suppliers under your name. They can impersonate your CEO to trick an employee into transferring money. They can use your domain to send spam, getting your real email flagged and blocked by spam filters everywhere.
This is not theoretical. We covered exactly this in our case study on how a Durban accounting firm nearly lost R380,000 to a Business Email Compromise attack. The domain that was spoofed had no DMARC policy at the time.
We check this in every assessment
Email authentication is one of the first things we check in every cybersecurity assessment we run. If your SPF, DKIM, or DMARC records are missing or misconfigured, we flag it immediately and help you fix it.
Do not leave your business email unprotected. The test takes five minutes. The fix takes thirty. The cost of skipping it can be six figures.
Book a cybersecurity assessment at /services/cybersecurity-assessment/. Or reach us at [email protected].
Sources
- MXToolbox: Email Health Check (Accessed: 2026)
- DMARC Analyzer: DMARC Record Check (Accessed: 2026)
- Microsoft Learn: Email authentication in Microsoft 365 (Accessed: 2026)
- Google Workspace Admin Help: Help prevent spoofing, phishing, and spam (Accessed: 2026)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa
ubuntuguard.co.za