You're worried about spoofed emails impersonating your firm to clients — fake wire instructions, fake invoices, fake partner requests — using your own domain.
Email impersonation of a trusted firm is the core of Business Email Compromise, and BEC is the second-costliest cybercrime category the FBI tracks. The FBI IC3's 2024 Annual Report (the most recent) records $16.6 billion in total reported internet-crime losses — a record, up 33% on 2023 — of which BEC accounts for $2.77 billion across 21,442 complaints. Law firms are prime targets because they sit on closings, settlements and escrow. A DMARC policy at p=quarantine and then p=reject stops attackers spoofing your firm's exact domain (it can't stop a look-alike domain or a compromised third-party mailbox — pair it with call-back verification of any payment change). Source: FBI IC3 Annual Reports (2024) · verified 2026-07-18.
p=quarantine, then p=reject — only enforcement actually blocks exact-domain spoofing.Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.
No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.
Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.