DMARC for accountants: why your firm's name is worth stealing

Think about what an email from your practice can make happen. "Please pay this month's PAYE to the updated account." "HMRC have queried your return - confirm your details via this link." "Final reminder: settle the attached invoice before Friday." Clients act on emails from their accountant with less scrutiny than almost any other correspondence they receive - because the relationship is built on exactly that trust.

That is why accountancy firms are disproportionately attractive targets for email impersonation. The criminal does not need your client data or access to your systems. They need one thing: an email that appears to come from your domain. And unless your domain says otherwise, email's original design lets anyone send one.

This post explains where Domain-based Message Authentication, Reporting and Conformance (DMARC) fits for an accounting practice - what it genuinely stops, what it does not, and how it sits alongside ICAEW and ACCA expectations.

The three frauds that ride on an accountant's name

Payroll diversion. Firms running client payroll are a one-stop target: an email "from the firm" to a client's finance contact, or "from an employee" to the firm, requesting a change of bank details before the next run. The money leaves in the normal payroll cycle and the loss surfaces only when an employee asks where their salary went.

HMRC and agent-account phishing. Criminals impersonate firms to clients ("we need your Government Gateway code to file") and impersonate HMRC to firms. A compromised agent account is a skeleton key to every client's tax affairs - which is why HMRC's agent guidance puts such weight on credential security. A spoofed email bearing your real domain is the most convincing possible opening move for that attack.

Fake invoices and disbursement fraud. Around year-end and tax deadlines, clients expect emails from their accountant requesting payments - fees, liabilities, disbursements. A spoofed "updated bank details" email lands in precisely the window when it looks routine.

In each case, note what the attacker used: not a hacked system, just your name. Your firm can have impeccable internal security and still have its identity borrowed freely if the domain is unprotected.

What DMARC does for a practice

DMARC is a public instruction, published in your domain's DNS, telling every receiving mail server in the world: if an email claims to come from our domain and cannot prove it (via the SPF and DKIM authentication standards), reject it. Once your policy reaches enforcement, an email spoofing yourpractice.co.uk simply never reaches your client's inbox. The cheapest, most scalable version of all three frauds above is removed outright.

DMARC also reports back. Daily, providers such as Google and Microsoft send aggregate reports listing every source sending email in your domain's name and whether it authenticated. For a practice, that answers three questions worth having on file:

• Is anyone currently impersonating us? (Many firms discover active spoofing the first month they look.)
• Is our own email healthy - is the practice management software, the payroll platform, the tax filing system all authenticating correctly, or is legitimate client mail drifting into spam?
• Can we evidence this control to an insurer, a regulator or a client's due-diligence questionnaire?

Where ICAEW and ACCA fit - stated accurately

Neither ICAEW nor ACCA mandates DMARC, and we will not pretend otherwise. What is accurate: ICAEW treats cyber security as falling squarely within members' existing ethical duties - confidentiality (Code of Ethics subsection 114) and professional competence and due care (subsection 113, which the 2025 Code update expanded to require keeping up with relevant technology developments) - and its cyber security guidance recommends baseline controls including Cyber Essentials certification. ACCA's guidance for practitioners takes a similar line.

So the honest framing is guidance-level: implementing and monitoring DMARC is consistent with the professional duties you already carry, and it is the NCSC-recommended control for the email impersonation risk specifically. When a professional indemnity insurer's renewal questionnaire asks about email authentication - and they increasingly do - "DMARC at enforcement, monitored weekly, reports on file" is a complete answer rather than a hopeful one.

What DMARC does not do

Precision is part of the service, so: DMARC stops unauthenticated use of your exact domain. It does not stop look-alike domains (yourpractlce.co.uk), does not stop a criminal who has taken over a genuine mailbox and joined a real thread, and does not by itself guarantee your email's deliverability. Verification procedures for payment changes - a phone call to a known number - remain non-negotiable, and mailbox security (strong, unique passwords and multi-factor authentication) covers the takeover risk. DMARC removes one entire category of attack and gives you visibility of attempts; that is its job, and it does it completely.

For the wider anatomy of these frauds, see Business email compromise: what UK firms need to know.

The state most practice domains are in

When we health-check accountancy domains, the usual findings are: no DMARC record; a record at p=none (monitoring mode - blocks nothing); or reports going to an address nobody reads. All three look fine from inside the practice. All three leave the firm's name available to anyone.

If any of that sounds plausibly like your domain - and for most firms it is - the first step costs nothing. SealedMail's Free Domain Health Check audits your SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails you a scored, plain-English certificate for the practice's compliance file. No sign-up, no obligation.

If you then want the monitoring handled - reports received, interpreted and explained in a weekly email written for a practice manager rather than an IT department - that is SealedMail's core service: £49 per domain per month, monthly rolling, UK-based. Start with What is DMARC? if you would like the full plain-English grounding first.