DMARC for financial services: Consumer Duty, SM&CR and your domain

Let us start with what the rulebook does not say, because in a regulated sector accuracy is the price of admission: the FCA Handbook does not name DMARC. No rule requires it. Any vendor telling a compliance officer that "the FCA requires DMARC" is overstating - and a compliance officer should hold that against them.

What the Handbook does require is the thing DMARC addresses. This post sets out the accurate chain: the obligations, where email impersonation sits within them, and why monitored DMARC (Domain-based Message Authentication, Reporting and Conformance) is one of the cleanest pieces of "reasonable steps" evidence a small or mid-sized firm can hold.

The obligations, accurately stated

Systems and controls. The SYSC sourcebook requires firms to maintain adequate risk management systems and controls proportionate to their business. The FCA has shown it will enforce against firms whose operational and security controls fall short - its actions against major firms over inadequate systems and controls are well documented. Cyber resilience sits squarely within SYSC's scope.

Consumer Duty. Firms must act to deliver good outcomes for retail customers and avoid causing foreseeable harm. Here is the connection that matters: criminals impersonating a regulated firm's email domain to defraud its customers is a known, recurring, documented attack pattern across the sector. A harm that is well documented across your industry, that targets your customers using your name, and that has a recognised, NCSC-recommended control available, sits uncomfortably close to the definition of foreseeable. A firm that has never assessed whether its domain can be impersonated will find that question hard to answer well after an incident.

SM&CR. The Senior Managers and Certification Regime attaches personal accountability: the relevant SMF holder must be able to show they took reasonable steps within their area of responsibility. "Reasonable steps" is an evidence game - contemporaneous, documented, dated. Which is precisely the gap a monitoring record fills.

The honest framing, then, is the one SealedMail uses everywhere: implementing and monitoring DMARC is consistent with your obligations under FCA SYSC and the Consumer Duty - a recommended control addressing a documented risk, not a named regulatory requirement.

The risk in concrete terms

Email impersonation of financial firms takes a specific shape: clients receive messages "from" their adviser or broker - a portfolio update with a link, a request to confirm details, urgent instructions about a transfer or a renewal. The firm's systems are never touched; its domain does the work. If the domain has no DMARC enforcement, sending such mail costs the criminal nothing and requires no compromise of anything.

The stakes scale with the sector. The average cost of a UK data breach reached £3.4m (IBM Cost of a Data Breach Report, 2024), and for an FCA-regulated firm the direct loss is rarely the worst of it - customer harm, notification obligations, regulatory attention and the SM&CR question "what steps had been taken?" follow behind.

DMARC enforcement removes the exact-domain version of this attack: once your policy reaches p=reject, mail claiming to be from your domain that cannot authenticate is refused by receiving providers before any client sees it. We are equally clear about the boundary: DMARC does not stop look-alike domains or compromised genuine mailboxes - see Business email compromise: what UK firms need to know for the full anatomy. It eliminates one category of attack completely and gives you documented visibility of attempts. For a grounding in the mechanics, see What is DMARC?.

Why monitoring is the part regulators and insurers actually see

A DMARC record is a configuration. Monitoring is a control. The difference matters in three rooms:

The compliance file. DMARC's aggregate reports - sent daily by Google, Microsoft and other providers - show every source sending email in your name and whether it authenticated. Interpreted weekly and filed, they constitute a continuous, dated record that the firm watches for impersonation of its brand. That is evidence of an operating control, not a one-off setting.

The insurance renewal. Cyber insurers' questionnaires increasingly ask about email authentication specifically. "DMARC at p=reject, independently monitored, weekly written reports" answers in a sentence what would otherwise be an awkward paragraph.

The post-incident review. If a client is defrauded by a look-alike domain - which DMARC cannot prevent - the firm that can show its actual domain was at enforcement and monitored is in a categorically different position from the firm that never looked. Reasonable steps are judged on what you did about the risks you could control.

SealedMail's weekly reports are written for exactly this use: plain English, no dashboard, formatted so they can go straight from inbox to compliance file. We interpret the data - an unexplained cluster of unauthenticated sends from overseas IPs is explained as what it is, what it means, and whether action is needed.

Scope, stated plainly

SealedMail reports and explains; it does not remediate, does not change your DNS or systems, and does not guarantee deliverability or fraud prevention. The service is monitoring and evidence - the firm (or its IT supplier) acts on findings. For a regulated buyer this division of responsibility should be a feature: one accountable UK-based specialist, a fixed £49 per domain per month with no tiers or volume traps, support during UK business hours, and a deliverable your compliance function can actually read.

A proportionate first step

Establish the current position. SealedMail's Free Domain Health Check audits your domain's SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails a scored, plain-English certificate - a clean baseline document for the risk register. Free, no sign-up, no sales call. Most firms discover their domain is at p=none (monitoring mode, blocking nothing) or has reports flowing nowhere - both findings worth knowing before someone else makes the discovery for you.