DMARC for law firms — stop client-email spoofing and BEC

You're worried about spoofed emails impersonating your firm to clients — fake wire instructions, fake invoices, fake partner requests — using your own domain.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Email impersonation of a trusted firm is the core of Business Email Compromise, and BEC is the second-costliest cybercrime category the FBI tracks. The FBI IC3's 2024 Annual Report (the most recent) records $16.6 billion in total reported internet-crime losses — a record, up 33% on 2023 — of which BEC accounts for $2.77 billion across 21,442 complaints. Law firms are prime targets because they sit on closings, settlements and escrow. A DMARC policy at p=quarantine and then p=reject stops attackers spoofing your firm's exact domain (it can't stop a look-alike domain or a compromised third-party mailbox — pair it with call-back verification of any payment change). Source: FBI IC3 Annual Reports (2024) · verified 2026-07-18.

What to do about it

Step 1. Publish SPF, DKIM and DMARC on every domain the firm sends from — the free check below shows current gaps.
Step 2. Collect a few weeks of aggregate reports so you can see every legitimate sender before enforcing.
Step 3. Move the policy to p=quarantine, then p=reject — only enforcement actually blocks exact-domain spoofing.
Step 4. Add a human control for money: verbally confirm any change to wire or payment instructions, since DMARC can't stop a compromised outside mailbox.

Frequently asked

Does my sector legally require DMARC by name?

Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.

Will publishing DMARC block our own staff or member email?

No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.

We're small and have no IT team — is this realistic?

Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →