Phishing attacks in Singapore surged 49% in 2024, with more than 6,100 cases reported – up from 4,100 the year before. Notably, 12% of those phishing emails contained AI-generated content, according to the Cyber Security Agency of Singapore’s (CSA) Singapore Cyber Landscape 2024/2025 report. Banking and financial services, government agencies, and e-commerce platforms were the most frequently spoofed industries.

For Singapore’s SMEs – which account for 99% of all businesses in the country and employ around 70% of the workforce, according to Singapore’s Ministry of Manpower – the consequences of a successful email-based attack can be devastating: misdirected payments, stolen customer data, and reputational damage that can take years to repair.

What makes this especially urgent is that the threat is not just external. Without proper email authentication, criminals can send emails that appear to come directly from your domain – your company name, your address – to any inbox in the world, with no technical trace pointing back to them. Fake invoices, fraudulent payment instructions, impersonation of your CEO or finance director. This is Business Email Compromise (BEC), and Singapore, as one of Asia’s primary financial hubs, is a prime and persistent target.

The solution is DMARC – Domain-based Message Authentication, Reporting, and Conformance. And in 2026, it is no longer just a security best practice. It is a baseline requirement, mandated by both Singapore’s own regulators and global inbox providers.

Singapore Has Made This Official

The CSA now includes DMARC as a core control under the Cyber Essentials Mark, the government-backed certification framework designed specifically to help local SMEs demonstrate a baseline cybersecurity posture. Businesses pursuing this certification – or those whose clients, partners, or government counterparts increasingly require it – need DMARC operating at enforcement level.

At the same time, Google and Yahoo have tightened their global sender requirements. Businesses sending more than 5,000 emails per day that fail to meet SPF, DKIM, and DMARC alignment standards now risk having their messages silently filtered to spam or rejected outright. For Singapore SMEs relying on email for invoicing, customer communications, and marketing outreach, that is a direct and measurable business risk.

The message from CSA and global inbox providers is consistent: get your email authentication in order, and do it before a problem forces your hand.

What DMARC Does – and Why SPF and DKIM Alone Fall Short

Most Singapore businesses that have taken some steps already have SPF and DKIM in place. SPF (Sender Policy Framework) publishes a list of authorised IP addresses permitted to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outgoing messages, allowing receiving servers to verify that the content was not altered in transit.

But neither protocol alone tells receiving servers what to do when a message fails. That is precisely what DMARC adds.

A DMARC record sits in your DNS as a TXT record and performs two functions. First, it establishes a policy telling every receiving mail server in the world how to handle messages that fail authentication – let them through, redirect them to spam, or block them entirely. Second, it generates aggregate reports showing who is sending email on behalf of your domain, giving you visibility into both your legitimate sending sources and any unauthorised parties attempting to impersonate you.

There is also a critical concept that trips up many businesses: alignment. DMARC does not simply check whether SPF or DKIM passes – it checks whether they pass for the correct domain. The domain in your visible “From” header must match the domain used in the SPF or DKIM verification. This distinction matters enormously for any business using third-party platforms.

The Mailchimp, HubSpot and Xero Problem

Singapore SMEs typically operate across a stack of cloud tools – Mailchimp or Klaviyo for marketing, HubSpot or Salesforce for CRM, Xero for accounting, Zendesk for customer support. Each of these platforms sends email on your behalf, and each introduces two potential authentication problems.

The first is alignment. If you use Mailchimp without configuring a custom sending domain, your marketing emails may display as coming from yourbusiness.sg while the underlying authentication points to mailchimp.com. To DMARC, that is a failure – regardless of whether SPF and DKIM individually pass. The fix is to configure a custom sending domain within each platform, aligning the authentication back to your own domain.

The second is the SPF 10-lookup limit. Every third-party tool you authorise in your SPF record adds DNS lookups. SPF has a hard ceiling of ten. Exceeding it triggers a PermError, causing DMARC to fail for all outgoing email – including the legitimate kind. Many Singapore businesses running multiple cloud services are already over this limit without being aware of it.

The Three Policy Stages – and How to Progress Through Them

DMARC operates across three enforcement levels. The right approach is to move through them methodically rather than jumping immediately to the strictest setting.

p=none – Start here. Email delivery is completely unaffected. You simply begin receiving aggregate reports revealing every source sending mail on behalf of your domain. This is how businesses discover that the HR team signed up for a new onboarding tool that is failing authentication, or that a threat actor is actively spoofing their domain from overseas. Run at p=none for at least 30 days before advancing.

p=quarantine – The intermediate step. Emails failing DMARC alignment are routed to the recipient’s spam or junk folder. Move to this stage once aggregate reports confirm that the clear majority of legitimate mail is passing cleanly.

p=reject – The goal. Failing messages are blocked entirely before reaching any inbox. This is the level required for CSA Cyber Essentials, and the level that actually stops domain spoofing cold. With p=reject in place, a criminal cannot send a convincing fake invoice under your domain name – every mail server in the world is instructed to reject anything that cannot be cryptographically verified as yours.

The progression from p=none to p=reject should always be data-driven. Move only when aggregate reports confirm all legitimate sending sources are properly authenticated.

Two Additional Requirements Singapore Businesses Often Miss

Spam complaint rate monitoring. Google and Yahoo track complaint rates through Postmaster Tools and penalise domains that sustain rates above 0.3% – that is three complaints per 1,000 emails sent. A degraded domain reputation can take months to recover and directly undermines the deliverability of all future email campaigns. Monitoring this metric alongside your DMARC reports gives you a complete picture of email health.

One-click unsubscribe. Google and Yahoo now mandate that all marketing email includes a functional one-click unsubscribe mechanism. Recipients must be able to remove themselves from your list immediately, without logging in, completing a form, or waiting for a confirmation email. This is a compliance requirement for any bulk marketing mail, and non-compliance feeds directly into elevated complaint rates – which in turn damage your domain’s standing with both inbox providers and, over time, DMARC alignment performance.

Making It Manageable for a Lean Singapore Team

Reading raw DMARC aggregate reports is not practical for most businesses without a dedicated security team. The reports arrive as XML files and can contain thousands of rows of data per day once send volumes are meaningful.

This is where a purpose-built platform makes the difference. PowerDMARC translates aggregate report data into readable dashboards showing which sending sources are passing, which are failing, and where unauthorised senders are located – including a geographic map of spoofing attempts. For businesses working toward CSA Cyber Essentials certification, the platform’s automated reporting also generates the audit evidence required by the assessment process.

PowerDMARC also handles SPF flattening automatically – collapsing nested DNS lookups from multiple cloud tools into a single clean record that stays within the 10-lookup limit as your stack evolves.

Where to Begin

Publish a DMARC record at p=none and let the reports run for several weeks. You will quickly develop a clear view of your entire sending landscape – authorised platforms, misconfigured senders, and any third parties attempting to impersonate your domain.

From there, the process is methodical: close authentication gaps, bring all legitimate senders into alignment, and advance the policy toward p=reject. For most Singapore SMEs with straightforward setups, this does not require outside technical expertise. For businesses with more complex environments – multiple subdomains, numerous third-party senders, or compliance timelines – a management platform that automates analysis and tracks progress significantly reduces the burden.

Given the scale of phishing activity targeting Singapore businesses – a 49% increase in reported cases in 2024 alone, per CSA’s Singapore Cyber Landscape 2024/2025 report – and the tightening requirements of both local regulators and global inbox providers, DMARC is a 2026 priority that cannot be deferred. The question for most SMEs is no longer whether to implement it, but how quickly they can get to enforcement.

Frequently Asked Questions

I send fewer than 5,000 emails a day. Does this still apply to me? The 5,000-email threshold triggers Google and Yahoo’s hard enforcement for bulk senders, but both providers are applying increasing scrutiny to all unauthenticated domains regardless of volume. More importantly, DMARC protects your domain from spoofing whether you send 50 emails or 50,000. An SME sending only a few hundred emails a month can still have its domain impersonated by criminals – DMARC is the mechanism that prevents that.

Will implementing DMARC break my existing email? Not if you start at p=none. Nothing changes for your recipients – you simply begin receiving reports. The risk of disruption only arises if you move directly to p=reject without first auditing your sending sources, which is precisely why the staged approach exists.

Is DMARC relevant for CSA Cyber Essentials certification? Yes. The CSA includes DMARC at enforcement level as a core control under the Cyber Essentials Mark framework. If your business is pursuing this certification, or if clients or government counterparts are beginning to require it as a condition of engagement, DMARC at p=reject is a prerequisite.

Featured image by PowerDMARC