Email is how most attacks against a small contractor start — a phishing message, or a spoofed email pretending to be you. You shut both down with three DNS records: SPF (who's allowed to send as your domain), DKIM (a signature that proves the message wasn't tampered with), and DMARC (the policy that tells receivers to reject the fakes and reports who's impersonating you). It's some of the highest-leverage work in the whole System & Communications Protection family, and it's cheap.
Ask any incident responder how the bad guys got in, and the answer is boringly consistent: email. Not some zero-day, not a genius exploit — a convincing message that a busy person clicked. For a small defense contractor, that's the front door to controlled data, and it's standing wide open until you authenticate your mail.
CMMC Level 2 is built on the 110 controls in NIST SP 800-171, spread across 14 families. Email authentication doesn't get its own headline in the framework, but it lands squarely in the System & Communications Protection (SC) family — protecting the integrity and authenticity of what moves in and out of your systems — and it braces the awareness-training and identification controls that surround phishing defense. An assessor knows email is the top attack vector. Showing that you've hardened it is exactly the kind of thing they want to see.
The good news: this is one of the few controls you can genuinely knock out in an afternoon of setup plus a few weeks of watching reports. No new hardware, no per-seat license required to start. Just three records, done in the right order. Here's how it works and how to get it right.
Every other layer you build — the firewall, the backups, the MFA — assumes the attacker has to break in. Phishing skips all of it. A well-crafted email convinces someone on your team to hand over a password, wire a payment, or open a document that runs code, and now the attacker is inside with legitimate credentials. No alarm goes off, because from the system's point of view, nothing was broken.
That's what makes email authentication such a good dollar. It attacks the problem from two sides at once. Outbound, it stops criminals from spoofing your domain to phish your customers, your prime contractors, and your own people. Inbound, it helps your mail system spot and drop the spoofed messages aimed at you. And unlike a lot of security work, it produces clean, gradeable evidence — DNS records and reports an assessor can look at and check off.
These three get lumped together, but they do different jobs. You want all three, and DMARC only works when the first two are already in place.
Here's the scenario email authentication is built to stop. A criminal doesn't need to hack your mail server to send email that says it's from your company. They just craft a message with your domain in the "From" line and send it. Without DMARC at enforcement, most receiving servers will deliver it — because nothing told them your domain rejects mail that isn't really yours.
Now picture who that forged email targets. It goes to your prime contractor's accounts-payable clerk asking to change bank details. It goes to your own employee, appearing to come from the owner, asking for a gift card or a document. It goes to a government point of contact. Every one of those is your reputation and your contract relationship on the line, and none of it touched your network — so none of your other controls even saw it happen.
DMARC at p=reject ends it. When your policy says reject, receiving servers throw away any message claiming to be from your domain that can't prove it. The spoofed email never reaches the inbox. That's the payoff: you're not just protecting yourself, you're protecting everyone who trusts an email with your name on it.
The one mistake that scares people off DMARC is turning on reject too fast and blocking your own legitimate mail — the payroll system, the CRM, the newsletter tool that sends on your behalf. Don't. DMARC is designed to be rolled out in stages, and if you follow the stages you never break a thing.
p=none. This monitors and reports without affecting delivery. You publish the record, then read the reports to find every legitimate service sending as your domain — there are always more than you think.p=quarantine. Now failing mail goes to spam instead of the inbox. You keep watching reports to confirm nothing legitimate is getting caught.p=reject. Once you're confident, tighten to reject. Spoofed mail is now blocked outright. This is the enforcement posture that actually protects you and your domain.The whole progression usually takes a few weeks, most of it just waiting and watching reports. The work is small. The discipline is in not skipping straight to reject before you know your real mail passes.
Here's the honest friction: DMARC reports arrive as raw XML, sent by every mail receiver on the internet that handled your messages. Reading those by hand to figure out which senders are legitimate and which are forgers is miserable and easy to get wrong — and getting it wrong is exactly how you end up blocking your own invoices or, worse, staying stuck at p=none forever because you never felt safe tightening.
EasyDMARC is the platform I point small contractors to for this. It ingests those raw DMARC reports and turns them into a plain-English dashboard — every source sending as your domain, what's passing, what's failing, and why — so you can actually see your mail flow instead of squinting at XML. It walks you from p=none monitoring to p=reject enforcement without blocking legitimate senders, and its SPF and DKIM tooling helps you keep those records correct as you add and drop services. For a shop that wants email authentication done right and documented for an assessor — without hiring an email admin — it's the straightest line to enforcement. Genuinely one of the better-value tools in this whole stack.
Could you do this by hand in DNS? For a tiny, single-sender setup, sure. But the moment you've got a mail tenant plus a CRM plus an invoicing tool plus a newsletter — which is most shops — the reports are the hard part, and a tool that reads them for you is the difference between reaching p=reject in a few weeks and giving up at monitoring.
Authentication stops spoofed mail. It does not stop a real message from a real (compromised) account, or a slick phishing page hosted somewhere your DMARC policy has no say. Technology closes most of the door; your people close the rest.
So pair the email work with two things. First, train your team to slow down on anything asking for credentials, payments, or urgency — that awareness is itself a control family. Second, back it with phishing-resistant hardware MFA, so that even when someone does get fooled into typing a password, the attacker still can't get in without the physical key. Authentication, training, and MFA together are what actually close the channel attackers use most.
Not sure where email security sits against everything else you owe? Run the free SPRS score estimator — it shows you where you stand across the 110 controls in about two minutes, so you can knock out the quick wins like this one first.
Authenticating your email is a clean win — but it's one line on a long checklist. Passing the assessment means documenting the whole thing: a System Security Plan written to your environment, the 20 required policies, a POA&M template, and the per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is that entire paperwork layer, editable, built for a small shop doing this itself.
They're the three DNS-based standards that prove an email really came from your domain. SPF lists which servers are allowed to send mail for you. DKIM adds a cryptographic signature so a message can't be tampered with in transit. DMARC ties the two together, tells receiving servers what to do with mail that fails (quarantine or reject), and sends you reports on who's sending as your domain. Together they stop attackers from spoofing your address.
CMMC Level 2 doesn't name DMARC in a single line item, but it's built on the 110 NIST 800-171 controls, and email authentication maps directly to the System & Communications Protection family and the awareness and identification controls that surround phishing defense. Since email is the number-one way attackers reach controlled data, an assessor expects to see that you've hardened it. SPF, DKIM, and DMARC are the standard, gradeable way to show that work.
The DMARC policy tag tells receiving mail servers what to do with messages that claim to be from your domain but fail authentication. p=none only monitors and reports. p=quarantine sends failing mail to spam. p=reject blocks it outright, so a spoofed email pretending to be your company never lands in anyone's inbox. Reject is the goal — but you get there in stages, starting at none to watch reports, then tightening once you're sure legitimate mail passes.
It works two ways. Outbound, DMARC at enforcement stops criminals from spoofing your domain to phish your customers, primes, and teammates — protecting your reputation and your contract relationships. Inbound, the same authentication checks help your mail system flag or block spoofed messages pretending to be a vendor or your own leadership. Pair that with user training and phishing-resistant MFA and you've closed the door attackers use most.
You can publish SPF, DKIM, and DMARC records by hand in DNS, and small setups do. The hard part is the DMARC reports: they arrive as raw XML from every mail receiver on the internet, and reading them to confirm your legitimate mail passes before you turn on enforcement is tedious and error-prone. A DMARC platform parses those reports into plain English, shows you who's sending as your domain, and walks you from monitoring to reject without blocking your own invoices. For most small shops the tool pays for itself in saved hours.
No — and no single tool will. SPF, DKIM, and DMARC are a strong, gradeable piece of the System & Communications Protection and anti-phishing story, but CMMC Level 2 is 110 controls across 14 families. Email authentication is one important layer; you still need boundary protection, access control, media protection, an SSP, and the rest. Treat DMARC as one clean win on a longer checklist, document it, and move to the next control.