Your client just called. They received an invoice from your email address – except it was for a project you never worked on, with banking details that definitely are not yours. But the email looks completely legitimate. It has your company name, your domain, even your usual email signature.
You did not send it. Someone else did. And they are pretending to be you.
This is happening to businesses across South Africa every single day. We have seen it in our support tickets (“Phishing email” appears repeatedly), and we have built a platform specifically to solve it. Here is how it works, why it happens, and what you can do about it.
Anyone can send email “from” any address
Email was designed in the 1970s. Back then, the internet was a small network of universities and research labs where everyone trusted everyone else. Authentication was not part of the design.
That decision is still with us today. The way email works, anyone can tell a mail server “this email is from steve@yourcompany.co.za” and the mail server will accept it. There is no built-in verification. No ID check. No proof required.
It is like the postal system if you could write any return address you wanted on an envelope, and the recipient had no way to verify if it was real. Most of the time that works fine. But when someone decides to abuse it, there is nothing stopping them.
This is called email spoofing. And it is not a hack. It is not a security breach. It is just how email works by default.
Invoice fraud is a real problem in South Africa
The most common scenario we see is invoice fraud. Someone sends a fake invoice that looks like it came from a legitimate supplier, with their banking details swapped for the scammer’s account. The recipient pays the invoice. The money disappears. And by the time anyone realises what happened, it is too late.
This works because email looks authoritative. If an invoice arrives from accounts@supplier.co.za, most people assume it is real. They do not check. They just pay it.
But it is not just invoices. We have seen:
- Fake password reset emails that look like they came from your bank
- Phishing emails that appear to come from your own IT department
- Scam emails sent “from” the CEO asking someone to transfer money urgently
- Fake contract amendments sent to clients mid-negotiation
The common thread: they all pretend to be from a trusted email address. And without email authentication in place, there is nothing stopping them.
How email authentication actually works
Email authentication has three layers. Think of them like a security system with multiple checks, not just one lock on the door.
SPF: The list of approved senders
SPF stands for Sender Policy Framework. It is a text record in your domain’s DNS settings that says “these are the only mail servers allowed to send email for my domain.”
When someone receives an email claiming to be from your domain, their mail server checks your SPF record. If the email came from a server on your list, it passes. If it came from anywhere else, it fails.
The analogy: SPF is like a guest list at a building entrance. If your name is on the list, you get in. If it is not, you do not.
DKIM: The digital signature
DKIM stands for DomainKeys Identified Mail. It is a cryptographic signature added to every email you send. The signature proves two things: the email actually came from your domain, and it has not been tampered with in transit.
When your mail server sends an email, it signs it with a private key. The recipient’s mail server checks the signature using a public key published in your DNS. If the signature is valid, the email is authentic. If not, it has been forged or modified.
The analogy: DKIM is like a tamper-evident seal on a package. If the seal is intact, you know the contents have not been altered since they left the sender.
DMARC: The policy that ties it all together
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is the policy that tells other mail servers what to do when SPF or DKIM fails.
Your DMARC record has three possible settings:
- p=none – Monitor mode. “If an email fails authentication, deliver it anyway, but send me a report so I can see what is happening.” This is where most businesses start. You can see the problem, but you are not stopping it yet.
- p=quarantine – Suspicious folder. “If an email fails authentication, put it in the spam or junk folder instead of the inbox.” This catches most spoofed emails but still lets the recipient dig them out if needed.
- p=reject – Block completely. “If an email fails authentication, do not deliver it at all.” This is the goal. Spoofed emails never reach the recipient.
DMARC also does something SPF and DKIM cannot do on their own: it sends you daily reports showing every email sent using your domain, where it came from, and whether it passed or failed authentication.
The analogy: DMARC is like the building security manager who checks the guest list (SPF), verifies the ID (DKIM), and decides what to do with people who fail the checks. And then sends you a report at the end of every day.
DMARC sounds simple – until you try to set it up
If DMARC is this important, why does almost no one have it configured properly?
Three reasons:
1. DNS records are intimidating
SPF, DKIM and DMARC all live in your domain’s DNS settings. For most business owners, DNS is something their web developer set up years ago and they have not touched since. The idea of editing DNS records – where one typo can break your email completely – is enough to make people walk away.
2. Getting it wrong breaks your email
If you set your DMARC policy to p=reject before your SPF and DKIM records are configured correctly, legitimate emails stop getting delivered. Your invoices do not reach clients. Your quotes disappear. Your support emails vanish.
This is not theoretical. We have seen businesses accidentally block their own email because they skipped a step or misconfigured a record.
3. The reports are unreadable
DMARC sends you daily XML reports listing every email sent using your domain. These reports are technically complete, but they are formatted for machines, not humans. A single day’s report can be thousands of lines of XML code listing IP addresses, authentication results, and message counts.
Most business owners look at one DMARC report, realise they have no idea what it is telling them, and give up.
This is why most businesses never move past p=none. They can see the monitoring reports, but they do not know how to interpret them or what to do next.
DMARC management without the technical headache
We built BEACON because even technical people struggle with DMARC. We have seen businesses sit on p=none for years because no one has the time or expertise to move forward safely.
BEACON is our DMARC management platform. Here is what it does:
1. Shows you who is sending as your domain
BEACON takes those unreadable XML reports and turns them into a dashboard. You can see at a glance: every source sending email using your domain, how many messages each source sent, and whether they passed or failed authentication.
If someone in another country is sending hundreds of fake emails pretending to be you, you will see it immediately.
2. Manages the journey from monitoring to blocking
You do not go straight from p=none to p=reject. That is how you break things. BEACON monitors your authentication for weeks, identifies all your legitimate email sources (your mail server, your marketing platform, your CRM, whatever else sends email on your behalf), and makes sure SPF and DKIM are configured correctly for every one of them.
Only when everything is passing authentication do we recommend moving to p=quarantine, and then eventually to p=reject. The whole process is managed. You do not touch DNS records unless you want to.
3. Alerts you when something changes
New email source appears? BEACON alerts you. Authentication suddenly starts failing? You get notified. Someone tries to send email as your domain and gets blocked? You see it in your dashboard.
This is not set-and-forget. Email infrastructure changes. People add new services. BEACON keeps monitoring so you stay protected even as things change.
4. Works anywhere in the world
DMARC is DNS records and email reports. There is no geographic limitation. A business in Cape Town has the same DMARC implementation as a business in New York. BEACON works worldwide because DMARC itself works worldwide.
Email authentication is part of your compliance obligations
POPIA (Protection of Personal Information Act) Condition 7 requires businesses to implement “appropriate, reasonable technical and organisational measures” to prevent data breaches.
If someone sends a fake email as your business and tricks a client into sharing personal information or making a fraudulent payment, you have a problem. If that breach involves personal information (and invoice fraud often does – payment details, contact information, transaction records), you may have a notification obligation under POPIA Section 22.
Email authentication does not prevent every breach. But it prevents the kind of breach where someone impersonates your business to extract information or money from your clients. That is a reasonable technical measure. And it is one of the few POPIA requirements that is completely within your control.
Not every business needs advanced cybersecurity. But every business that sends email from its own domain should have DMARC at p=reject.
Why BEACON exists: the market gap
Managed DMARC services exist. They charge R700+ per month. That pricing works fine for large enterprises. It does not work for a 5-person accounting firm or a one-person consultancy.
But here is the thing: a one-person business with its own domain needs DMARC just as much as a 500-person company. Invoice fraud does not care how big your business is. Neither does email spoofing.
We built BEACON to fill that gap. It is not enterprise software with bells and whistles you will never use. It is DMARC done properly, at a price that makes sense for small businesses.
BEACON starts at R150 per month. You can add it to any of our managed plans, or run it standalone if you just need email authentication and nothing else.
What happens when you sign up for BEACON
Here is the process:
Week 1: Setup and monitoring
We configure your DMARC record at p=none (monitoring mode), set up SPF and DKIM if they are not already in place, and start collecting authentication reports. You get access to the BEACON dashboard so you can see what is being sent using your domain.
Weeks 2-4: Identify and fix
We review the reports together. Every legitimate email source gets added to your SPF record and configured with DKIM signing. Anything that is not supposed to be sending as your domain gets flagged. You decide what to keep and what to block.
Week 5: Move to quarantine
Once everything legitimate is passing authentication, we move your DMARC policy to p=quarantine. Spoofed emails start getting sent to spam folders instead of inboxes. Monitoring continues.
Week 6+: Move to reject
After quarantine has been running cleanly for a week or two with no false positives, we move to p=reject. Spoofed emails stop being delivered entirely. You stay protected, and BEACON keeps monitoring in case anything changes.
The whole process takes 4-8 weeks depending on how complex your email setup is. We do not rush it. Breaking your email to save a week is not worth it.
Stop someone from sending emails as your business
If you have ever wondered why you are getting bounce messages for emails you did not send, or why clients are receiving invoices you never issued, DMARC is the answer.
We have been managing email security for Cape Town businesses for years. BEACON is the tool we built because the existing options were too expensive or too complicated for most of the businesses we work with.
Learn more about BEACON – see pricing, features, and how it works.
Not sure if you need it? Call us and we will check your current DMARC configuration for free. 087 820 5005 or WhatsApp 081 526 1626.
0 Comments