123-Reg and DMARC: A Helpful Start… But Is It Enough?

So, you’ve had a lightbulb moment – new business, new domain! Where do you go? Most folks land on 123-Reg. After all, those “79p for a domain” offers are hard to resist.

Skip past the upsells for a second, the real goal is to get into your DNS settings and make sure your email works properly and securely.

And these days, that means sorting your DMARC settings.

Quick Recap: What’s DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is your email bodyguard.

At its most basic, it tells the internet:
“Yes, I’m aware people might try to spoof my domain, and I have a policy about that.”

At its best, it stops spoofers dead in their tracks, protecting your domain from being impersonated in dodgy phishing emails.

Spoofing, in case you haven’t had the misfortune yet, is when someone sends an email pretending to be you. With no protection in place, your contacts could receive emails that look like they came from you, and fall for scams that damage your reputation, or worse.

Enter 123-Reg: A Really Good Start!

123-Reg actually does something pretty forward-thinking, they automatically add a DMARC record for you when you register a domain.

It looks like this:

v=DMARC1; p=reject; rua=mailto:dmarc_rua@onsecureserver.net

They set the DMARC policy to reject, which is the strictest setting, and even include an email address to send the reports to. Great! Except…

…Who Gets the Reports?

Well, not you.

The reports are sent to dmarc_rua@onsecureserver.net an inbox you can’t access. That address belongs to 123-Reg. So while the reports are technically being collected, there’s no way for you to see what’s going on, unless you update the record yourself to use your own email or monitoring tool.

We asked their support about it and… the answer wasn’t exactly confidence-inspiring.

You Can Change It, But Only If You Know To

Let’s say you do decide to update the DMARC record to send reports to an email you own (something we highly recommend). What you’ll get is… this:

An XML report. Thousands of lines of data. Every email you send, listed, evaluated, and logged.

It’s powerful, but completely unreadable unless you’re using a tool or service that can translate it into something human-friendly.

So What Was Their Final Advice?

If it’s not working for you, just delete the record.

Let’s be real: that’s not terrible advice if you know what you’re doing. But for someone who thinks 123-Reg has “set up the security for them,” that’s a risky move. Without DMARC, your domain is open to being spoofed.

Email Security Isn’t Plug-and-Play

Here’s the thing, DNS and email authentication (SPF, DKIM, and DMARC) are not one-size-fits-all. Many businesses use multiple services: Microsoft 365 or Google Workspace for email, Mailchimp or High Level for marketing, and maybe a CRM or support tool thrown in too.

Each of those needs to be accounted for in your DNS records.

Do it wrong? You’ll either let spoofers through, or block your own emails entirely.

What Does Good DMARC Look Like?

It looks like this:

Instead of a mystery inbox and unreadable XML files, you (or your IT partner) get clear reports showing:

• Who’s sending email on your behalf

• Whether your legitimate emails are getting through

• And whether scammers are being successfully blocked

More importantly, if something breaks, someone’s watching and ready to fix it.

🧹 Final Thought: Not Every Lion Is Noble

Trademarking your business name is smart.
But being bullied into it by a stranger on email? Not so much.

Scammers are evolving. They’re dressing their nonsense up with logos, fake legal speak, and a false sense of urgency.
But at the end of the day, if you strip away the formatting, it’s just another predator in a pinstripe suit.

So next time someone claims they’re the legal cavalry and only you can stop the IP apocalypse… remember:

• They’re not your solicitor.

• They’re not your friend.

• They’re not even very good at lying.

Stay sharp. Stay cheeky. And if in doubt? Send it to us.