In the majority of IFA firm assessments GOIA conducts, we find the same email security gap: a DMARC record that is either absent or set to a monitoring-only policy. This is not a complex technical failure. It is a configuration that takes less than a day to address. But until it is addressed, your firm's email domain can be impersonated - and the consequences for an IFA practice are serious.

What DMARC is and why it matters to an IFA firm

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Together with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), it forms the technical foundation of email authentication - the set of controls that determine whether an email claiming to come from your domain actually came from your domain.

Without a correctly configured DMARC policy, a fraudster can send an email that appears to come from your managing director's email address to one of your clients. The email will look legitimate. It will display your domain name. And it will arrive in the client's inbox without any visible indication that it did not come from you.

For an IFA firm, this creates a specific and serious risk: fraudulent payment instructions. A client receives what appears to be an email from their adviser instructing them to transfer funds to a new account. The client, trusting the apparent source, complies. The funds are transferred to a fraudster. This is Business Email Compromise (BEC) and it is one of the most financially damaging cyber attacks targeting professional services firms in the UK today.

The NCSC reports that Business Email Compromise attacks cost UK businesses hundreds of millions of pounds annually. For IFA firms specifically, the risk is amplified by the trust relationship between adviser and client and the regular occurrence of financial instructions in the course of normal business.

What DMARC "none" actually means

A DMARC record set to "none" is a monitoring-only policy. It tells receiving mail servers to collect data about emails claiming to come from your domain but to take no action against fraudulent messages. In practical terms, it means that emails impersonating your domain will still be delivered to recipients. The only thing the "none" policy does is generate reports - reports that most firms are not configured to receive or review.

A DMARC record set to "quarantine" tells receiving mail servers to treat suspicious emails as junk. A record set to "reject" tells them to block them entirely. Moving from "none" to "reject" is the target configuration. Getting there requires some technical work to ensure that all legitimate email sources for your domain are correctly authenticated - but for most IFA firms, this process takes days rather than weeks.

How to check your firm's current DMARC status

You do not need technical expertise to check your firm's current email authentication posture. Type your firm's email domain into any publicly available DMARC lookup tool - there are several free ones online. The result will tell you whether you have a DMARC record and what its current policy is.

If the result shows no DMARC record, or a policy of "none", your firm's email domain can currently be impersonated. That is a governance finding as well as a technical one - because the NCSC's email security guidance, which the FCA references in its operational resilience framework, specifically identifies DMARC enforcement as a baseline control that firms are expected to have in place.

Why this appears in the governance assessment, not just the technical check

DMARC configuration is assessed in Domain 3 of GOIA's Executive Review, but the findings always surface in Domain 7 as well - accountability and governance clarity. The question is not only whether the configuration is correct. It is whether any director at the firm knew the configuration was incorrect, whether the IT provider has been asked about it and whether there is a documented plan to address it.

A firm where the managing director is unaware of the DMARC gap has a governance problem. A firm where the managing director knows about it and has taken no action has a more serious governance problem. Both create regulatory exposure under FCA operational resilience guidance and, if a client suffers a financial loss as a result of email impersonation, a potential Consumer Duty failure.

The cost of fixing it

Zero. DMARC configuration is a DNS change. It requires no new software, no new subscriptions and no significant budget. The cost is the time of a competent IT administrator - typically a few hours to audit existing email sources and a few minutes to update the DNS record. If your current IT provider cannot implement this in a week when asked, that itself is a governance finding worth noting.