DMARC Implementation for a Gulf-Based Financial Services Firm

July 16, 2025

The Problem

Clients were getting fake emails. Some looked like payment requests. Others mimicked internal notifications. A few nearly succeeded. One came close to redirecting funds from a key commercial client. The company’s name was being used to defraud customers, and there was no technical control in place to stop it.

Internally, the team believed SPF and DKIM were enough. But records were broken, unused tools still had access, and dozens of third-party platforms were sending emails on behalf of the domain. No one had full visibility. No one owned the problem.

The damage wasn’t theoretical. It was active. Clients were reporting incidents. Legal was involved. Support teams were flooded with queries. Sales was losing trust with high-value accounts.

The Objective

Regain control over the company’s email infrastructure.
Eliminate all forms of domain misuse.
Protect operations without disrupting live mail systems.
Achieve full DMARC enforcement with precision and accountability.

What We Found

Over 30 domains and subdomains in use
Nine separate tools sending transactional or marketing emails
Multiple SPF records that failed lookup limits
DKIM selectors reused across platforms and regions
No DMARC policy configured on any domain
No team assigned to email authentication

Some platforms were still authenticating with long-expired keys. Others were using generic shared configurations across different customers. The company had no idea which tools were active, which were dormant, and which were being abused.

Meanwhile, malicious senders were hitting inboxes using the company’s name with no resistance.

The Fix

Step 1: Visibility

We implemented a p=none DMARC policy and routed reports to a centralized analytics platform. Within days, we saw the problem in numbers:

Over 1,800 spoofed emails per day
At least four unauthorized senders relaying mail from offshore IPs
One legitimate internal tool misconfigured and failing authentication silently

Step 2: Triage and Repair

We rebuilt SPF records from scratch and removed excess includes. DKIM keys were regenerated and aligned per sender. Tools that failed authentication were either fixed or disconnected. Shadow IT systems were blocked at the DNS level.

We coordinated with every external vendor to validate sending domains, update configurations, and confirm compliance.

Step 3: Controlled Enforcement

After four weeks of monitoring and cleanup, we moved to p=quarantine. Spoofed messages were now diverted or flagged. Business email traffic remained stable. No delivery disruptions.

After two more weeks of clean reporting, we enforced p=reject.

Results

Spoofed emails dropped from 1,800 per day to under 10
Fraudulent messages that once reached customer inboxes were now blocked at the gateway
Internal teams reduced email-related support cases by more than half
Third-party vendors were brought under strict control, with documented accountability
IT security took formal ownership of email infrastructure for the first time

The firm avoided a serious fraud incident. One client reported they would have followed a fake payment instruction had it not failed delivery under the new DMARC policy.

What This Changed

Email security was no longer buried under infrastructure tasks. It became part of risk management. For the first time, the company had provable control over its public-facing communications.

This wasn’t just about stopping phishing. It was about restoring credibility, reducing legal exposure, and proving to clients that their trust wasn’t misplaced.

Most organizations don’t act on email abuse until something breaks. This one nearly did. DMARC wasn’t a technical upgrade. It was a correction of ownership. Without it, anyone could impersonate the business. With it, that door was shut permanently.

Post Tags :