The Woodard Report

Stronger Email Security for Accounting Firms

Written by Dax Wiseman | Jul 16, 2026 3:51:14 PM

I wish I could add the guitar lick that follows this a cappella intro: “Suckers walk, money talks! But it can’t touch my three-lock box” - Sammy Hagar

I see it as an analogy for Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

The Red Rocker is quoted as saying the song represents a philosophical concept focused on balancing the mind, body, and spirit to unlock personal potential. I guess I see it as protecting yourself, your clients, and your business to unlock security potential.

Recently, I have been running a vulnerability tool that is both helpful as a security tool and as a prospecting tool. One of the common problems I see is the lack of a properly aligned SPF, DKIM, and DMARC. With Gmail, Microsoft 365, and a slew of advanced email scanning products on the market, it is surprisingly easier to set up than it has been in the past.

These three simple yet powerful records work together to stop criminals from sending fake emails that look like they came from you or your firm. Cybercriminals send an estimated 3.4 billion fake emails a day globally. Reports indicate that over 90% of successful cyberattacks and data breaches start with a phishing scam.

Now, let’s set up your three-lock box.

SPF (Sender Policy Framework)

An SPF is like a guest list. It is a published record that lists only the mail servers that are allowed to send email as your domain. When another mail system receives an email claiming to be from your firm, it can check the list to verify. If the sending server is not on the list, it is a red flag. I prefer to think of it as a large, angry bouncer at the end of the line to get into the happening club of the rom-com we are watching that weekend. A little insight into my exciting life.

DKIM (DomainKeys Identified Mail)

DKIM is like a tamper-proof seal on an envelope. Every email gets a hidden digital signature tied to your domain. The receiving mail system checks that signature to ensure the message was not altered in transit and that it really came from the server you authorized to send it from in the SPF record.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

While it would be a great DJ Name “D-MARC in the house”, DMARC is the policy that ties the first two together and tells the receiving mail server what to do when something fails. Without DMARC, SPF and DKIM are just informational, and nothing actually enforces them.

DMARC tells the receiving mail system, if a message claiming to be from us fails SPF or DMARC, then ignore it, quarantine it (junk folder), or reject it. It also gives you a way to be alerted if someone is trying to spoof your domain. You could have a perfect SPF and DKIM, but if your DMARC is set to none, it just monitors and does nothing. This allows criminals to pretend to be you and possibly trick your clients into sending sensitive data.

How to check your domain

I have used the website MX Toolbox for years. MX Toolbox is a totally free site that does have some paid features should you choose to subscribe. Here you can check your SPF, DKIM, and DMARC and get tips on how to properly align them. You can also do a quick search or talk to your favorite flavor of AI, but be careful.

Watch out for the gotchas

An SPF record looks like this: “v=spf1 include:spf.protection.outlook.com include:_spf-us.ppe-hosted.com ~all”. This is telling the receiving system that mail should come from Office 365 or Proofpoint only. If you are using any other system to send email as if they were you, something like Mailchimp or HubSpot, those records need to be in the SPF. If they are not, your email from those services could be rejected.

The SPF can still have holes. How many people send email from Outlook.com? Everyone on Microsoft 365; I’ve gotta think that is a high number.

DKIM requires setup on your email server side with a hosted email system. This is much easier than the days of having your email server in-house. Still, if you set it wrong and have a strict DMARC, all your email could be delivered to junk or rejected.

DMARC needs to be monitored before you just jump to ‘reject’. It can be worse than setting to ‘none’. At least your email will arrive at a client even if not protected with ‘none’.

Your DMARC can be set to ‘relaxed’ as well to cover any subdomains.

You need some professional help!

DNS records can break things and must be handled with care. Never give your website provider access to it; they don’t think about email. The sad thing about all these incorrect settings is that most of the prospects are paying monthly fees for their IT support.

Currently, an IT Managed Service Provider has no licensing requirements. The government is requiring it, but not the public sector. You can’t cut hair in most countries without a license, but you can spin up a managed service provider (MSP) and have full access to a client’s data. If you find it is not set up securely, have them set it up. If they can’t do it, I know a guy.

Make your provider work and ensure they are doing their job. If you find it is set up right, maybe send a thank you with the next payment.

These three items, when properly configured, can help battle the number one threat: phishing. Take the time to ensure they are set up properly, because as the song continues, “You find the key, you got the gold!