What is DMARC and why does my RIA need it?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that tells receiving mail servers what to do when someone sends an email claiming to be from your domain but fails authentication checks. Without DMARC, anyone can send emails that appear to come from your firm's domain — including fraudulent wire transfer instructions to your clients. For RIAs, this is both a cybersecurity risk and a regulatory issue under Reg S-P and the SEC's cybersecurity expectations.

Can someone really send emails from my domain?

Yes. If your domain lacks a DMARC record — and 83% of RIA domains do, based on a scan of 8,802 SEC-registered firms — anyone with basic technical knowledge can send emails that appear to come from your exact domain. The email will show your firm name and domain in the 'From' field. Most email clients will not flag it. Your clients will have no way to tell it apart from a legitimate message.

How do I check if my domain is protected?

You can run a free domain security scan at goblacksheep.io/scan. It checks your DMARC, SPF, and DKIM records and tells you whether your domain is protected, partially protected, or completely exposed. The scan takes about 30 seconds and requires no technical knowledge to interpret.

March 25, 2026·10 min read

Your Clients Can Receive Phishing Emails That Look Like They Came From You

Someone could send your client a wire transfer instruction from your domain right now. Not a lookalike domain. Not a Gmail address with your name on it. Your actual domain. And unless your client calls your office to verify, they have no way to know it is not real.

83% of RIA domains are unprotected

We scanned 8,802 SEC-registered investment adviser websites. Of those, 83% had no DMARC record at all. That means there is nothing stopping an attacker from sending emails that appear to originate from those firms' domains.

No spoofed lookalike domain. No clever misspelling. The actual domain your clients recognize and trust, showing up in their inbox with a message that says "Please wire $47,000 to the following account for the closing on your new property."

If your firm is in that 83%, this is not a hypothetical risk. It is a capability that exists today and costs an attacker almost nothing to exploit.

What DMARC, SPF, and DKIM actually do

Email was built in the 1980s without any authentication. By default, anyone can send an email claiming to be from any address. Three protocols were created to fix this, and they work together:

SPF (Sender Policy Framework) publishes a list of servers authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks whether the sending server is on your list.
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outgoing emails. The receiving server can verify this signature against a public key published in your DNS records, proving the email was not altered in transit and was sent by an authorized system.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when an email fails both checks: deliver it anyway, quarantine it, or reject it outright. Without DMARC, a failed SPF or DKIM check usually results in nothing — the email gets delivered.

Think of it this way: SPF is the guest list. DKIM is the wristband. DMARC is the bouncer who actually turns people away at the door. Without all three, you have a guest list that nobody enforces.

How wire fraud actually happens

Here is how this plays out in practice. These are not contrived scenarios — each pattern has appeared in FBI IC3 complaints and SEC enforcement actions:

The wire redirect

An attacker sends your client an email from your domain informing them that the firm has updated its banking details. The email includes new wire instructions for an upcoming transfer. The client has no reason to question it — the email is from the domain they always get emails from. They wire the money. It is gone.

The account update

An email from your domain asks the client to "verify their account information" by clicking a link and logging in. The link goes to a convincing replica of your client portal. The client enters their credentials. The attacker now has access to the real portal.

The tax document request

During tax season, an email from your domain asks the client to upload their tax documents to a "secure portal" for the firm's records. The client uploads W-2s, Social Security numbers, and bank statements. The attacker has everything they need for identity theft.

In each case, the client did nothing wrong. They received an email from a domain they trust and acted on it. The firm, by failing to implement email authentication, left the door open.

What SEC examiners are looking for

The SEC has made cybersecurity a priority examination topic every year since 2020. Under the amended Regulation S-P, investment advisers are required to adopt written policies and procedures that address administrative, technical, and physical safeguards for customer records and information.

Email authentication falls squarely within the "technical safeguards" requirement. During examinations, SEC staff have asked for:

Documentation of email security controls, including SPF, DKIM, and DMARC configurations
Evidence that the firm monitors for unauthorized use of its domain
Incident response procedures specific to email-based attacks
Client communication policies for sensitive transactions like wire transfers

If you have no DMARC record, you have no documentation to provide. If an examiner checks your domain's DNS records — which takes about 10 seconds — and finds no DMARC, that is a finding. And it is one that calls your entire cybersecurity posture into question.

The fiduciary angle

As a registered investment adviser, you owe your clients a fiduciary duty. That duty extends to protecting their assets, and in 2026, their assets are inseparable from their data.

If a client loses money because someone spoofed your domain and you had done nothing to prevent domain spoofing — no SPF, no DKIM, no DMARC — you will face hard questions. From the client. From their attorney. From the SEC. And from your E&O carrier, who may question whether the loss was preventable.

Implementing email authentication is not optional cybersecurity hygiene. It is part of the same responsibility that requires you to safeguard client account credentials, verify wire instructions by phone, and maintain written information security policies under Reg S-P.

Why this is not just an IT problem

Many RIAs assume their email provider — Microsoft 365, Google Workspace — handles this automatically. They do not. Microsoft and Google configure SPF and DKIM for emails sent through their servers, but DMARC requires you to publish a DNS record for your domain. Your email provider cannot do this for you because they do not control your DNS.

If you use a managed service provider (MSP), they may or may not have configured DMARC for you. Based on our analysis of MSP-managed RIA domains, the gap is significant. Many MSPs focus on endpoint protection and patching and overlook email authentication entirely.

How to check your domain right now

You can check whether your domain has DMARC, SPF, and DKIM records in about 30 seconds:

Go to BlackSheep's free domain scan.
Enter your firm's domain.
The scan checks your DNS records for SPF, DKIM, and DMARC configuration and tells you whether your domain is protected, partially protected, or exposed.

If the scan shows no DMARC record, your domain is currently spoofable. If it shows a DMARC record with a policy of p=none, you are monitoring but not enforcing — emails that fail authentication still get delivered to your clients.

What "good" looks like

A properly configured email authentication setup includes:

SPF record that lists all authorized sending services (your email provider, your CRM, your marketing platform) and ends with -all to hard-fail unauthorized senders
DKIM signing enabled for every service that sends email on your behalf
DMARC record with a policy of p=reject or at minimum p=quarantine, with reporting enabled so you can see who is sending email as your domain
Ongoing monitoring of DMARC reports to catch misconfigurations, new sending services that need to be authorized, and spoofing attempts

How BlackSheep monitors this for you

BlackSheep's RIA compliance platform continuously monitors your domain's email authentication configuration. If your DMARC, SPF, or DKIM records change, break, or get removed, you get an alert. If someone attempts to spoof your domain and your DMARC policy is set to report, we surface that in your dashboard.

This is part of the broader Reg S-P compliance framework that also covers your written information security policies, incident response plan, and annual risk assessment — everything an SEC examiner expects to see documented.

Find out if your domain is exposed in 30 seconds.

Run a free domain scan