Cloudflare just made DMARC management free: easier protection from email spoofing

One of the most effective ways to stop criminals from sending email that looks like it came from your business has always been a pain to set up. This week Cloudflare made that job a lot easier, and free, for anyone whose domain runs on its DNS.

What Cloudflare announced

On June 16, Cloudflare made its DMARC Management tool generally available, free for every domain using Cloudflare's nameservers. DMARC is the email standard that tells the world's mail servers which senders are genuinely allowed to send as your domain, and what to do with the ones that aren't, but getting it working means collecting and reading "reports" that arrive as dense XML files, which is exactly why so many businesses start and never finish. Cloudflare's tool ingests those reports for you and shows, in plain language, which senders are passing and failing (down to the IP), flags SPF, DKIM, DMARC, and BIMI problems with fix-it recommendations, watches the tricky SPF 10-lookup limit, and walks you from monitoring (a policy of "p=none") toward full enforcement ("p=reject") without breaking your legitimate email along the way.

Why DMARC matters for a small business

Without enforcement, anyone can spoof your domain. Criminals send fake invoices and "urgent" requests that appear to come from your address, to your customers and your own staff. It's a leading form of business email compromise.
It protects your name, not just your inbox. The damage from a spoofed email usually lands on whoever received it, a customer who paid a fake invoice, and on the reputation your business depends on.
It helps your real email get delivered. Gmail and Microsoft increasingly require proper authentication to accept mail, so getting DMARC right also keeps your genuine messages out of the spam folder.
The reports were always the hard part. DMARC stalls at "monitoring" because nobody reads the XML. A tool that reads it for you is the missing piece.

What to do

If your DNS is on Cloudflare, turn DMARC Management on, it costs nothing, and use it to move from monitoring to enforcement over a few weeks. If your DNS is somewhere else, you still need DMARC: use another monitoring tool, or build your records with our free SPF & DMARC Generator and check where you stand today with the Email Security Checker. Whatever the vendor, the goal is the same: reach an enforced policy (p=reject) so nobody can send email as you. One caution: don't jump straight to p=reject. Start at p=none, watch the reports, fix your legitimate senders, then tighten, or you risk blocking your own invoices and newsletters.

For a 1 to 50 person team in Canada

Email spoofing is one of the cheapest attacks to run against you and one of the most damaging to your reputation, and DMARC is the defence that has existed for years but that most small businesses never finished setting up, because the reporting was miserable. A free tool that reads the reports for you removes that excuse. Whether you use Cloudflare's or another, this is the week to finally get your domain to an enforced policy.

Getting SPF, DKIM, and DMARC all the way to enforcement, the part that quietly breaks legitimate email if you rush it, is something we set up and monitor as part of our Managed Security service. If you'd rather DIY, start with our honest take on Cloudflare's free stack.

What Cloudflare announced

Why DMARC matters for a small business

What to do

Related

Is Cloudflare worth it for a small business? The free stack, honestly

Payroll pirate attacks are hijacking Canadian paycheques

Managed Security