DMARC for Nonprofits: Protect Your Organisation's Email on Any Budget

Nonprofits depend on email more than almost any other type of organisation. Donor appeals, volunteer coordination, event invitations, grant communications, board updates -- email is the backbone of how nonprofits operate. That reliance makes them a target. Attackers know that a spoofed email from a charity carries a unique kind of trust, and they exploit it to steal money, harvest credentials, and damage reputations that took years to build.

The good news is that protecting your nonprofit's email does not require a budget line item or an IT department. DMARC is a free, open standard that tells email providers how to verify messages sent from your domain -- and what to do when someone tries to fake one. This guide walks you through why it matters for your organisation and exactly how to set it up.

Why Nonprofits Are Targeted

Attackers do not just go after banks and tech companies. Nonprofits are attractive targets for specific reasons.

Donor trust is high. When a supporter receives an email that appears to come from a charity they have given to before, their guard is down. A spoofed email asking them to update their payment details or contribute to an "emergency campaign" is far more likely to succeed when it carries the name and domain of an organisation they already trust.

Donation scams are lucrative. Charity impersonation is one of the fastest-growing categories of phishing. Attackers send spoofed emails during natural disasters, year-end giving seasons, and crisis events -- exactly the times when donors are most willing to act quickly and ask fewer questions. If your domain has no DMARC protection, anyone can send emails that look like they come from your organisation.

IT resources are thin. Most nonprofits do not have a dedicated IT team. Email security is rarely on the radar because there are always more pressing priorities -- programmes to run, grants to write, events to organise. Attackers count on this. They actively look for domains without DMARC records because those are the easiest to impersonate.

Volunteers and staff are vulnerable. Nonprofit teams often include a mix of full-time staff, part-time employees, and volunteers with varying levels of technical awareness. An internal phishing email that appears to come from the executive director asking for a wire transfer or login credentials has a higher chance of succeeding in an environment where people are busy, trusting, and not trained to spot forgeries.

The Cost of Doing Nothing

Ignoring email authentication does not just leave your domain open to impersonation. It has practical consequences that directly affect your mission.

Spoofed emails erode donor trust. If a supporter receives a fraudulent email from what appears to be your organisation, they may lose confidence in your communications entirely. Even if they realise it was a scam, the association sticks. Some donors will stop opening your real emails. Others will stop giving altogether.

Your legitimate emails land in spam. Email providers like Gmail, Yahoo, and Outlook increasingly penalise domains that lack DMARC. Without it, your fundraising campaigns, newsletters, and event invitations are more likely to be flagged or filtered. Google and Yahoo now require DMARC for bulk senders, which means that if your nonprofit sends more than a few thousand emails, you may already be affected.

You may never know you have been spoofed. Spoofed emails are sent from the attacker's servers, not yours. They do not appear in your outbox. The first sign of a problem is usually an angry donor, a fraud report, or a sudden drop in engagement that nobody can explain.

DMARC prevents all of this by giving email providers a way to verify that messages from your domain are genuine -- and instructions to block the ones that are not.

DMARC Is Free

This is worth saying clearly: DMARC is not a product, a subscription, or a paid service. It is an open internet standard. Implementing it means adding a short text record to your domain's DNS settings, which costs nothing with any domain registrar or DNS provider.

The tools you need to create and check DMARC records are free too. You can generate a record right here on dmarccreator.com, check your current setup at dmarcrecordchecker.com, and create the supporting SPF and DKIM records at spfcreator.com and dkimcreator.com.

How to Set Up DMARC for Your Nonprofit

You do not need to be technical to do this. If you can log in to your domain registrar and copy and paste a line of text, you can set up DMARC. Follow these five steps.

Common Nonprofit Email Setups

Most nonprofits use one of a handful of platforms for email. Here is where to find specific guidance for yours.

Google Workspace for Nonprofits. Google offers free or discounted Workspace licenses to eligible nonprofits through Google for Nonprofits. Google configures SPF and DKIM largely out of the box, but you still need to publish your own DMARC record. See our DMARC for Google Workspace guide.

Microsoft 365 for Nonprofits. Microsoft provides discounted or donated Office 365 licences to qualifying nonprofits. DKIM is configured by Microsoft for your domain, but DMARC is your responsibility. See our DMARC for Office 365 guide.

Mailchimp. Widely used by nonprofits for newsletters and donor communications. Mailchimp sends email on your behalf, so it needs to be included in your SPF record and configured for DKIM. See our DMARC for Mailchimp guide.

Constant Contact. Another popular choice for nonprofit email marketing. Like Mailchimp, it sends from your domain and needs to be part of your authentication setup. See our DMARC for Constant Contact guide.

Working With Limited IT Resources

Not every nonprofit has someone on staff who manages DNS records, and that is okay. Here is how to think about getting DMARC set up with the resources you have.

If you have a tech-comfortable staff member or volunteer, this guide and the tools linked above are all they need. The entire process -- checking your current state, generating a record, adding it to DNS, and reviewing reports -- can be done in under an hour. It does not require coding skills or security expertise, just the ability to log in to your domain registrar and follow instructions.

If you have a volunteer with IT skills, ask them to help. Many technology professionals volunteer with nonprofits and would be happy to spend an hour setting up email authentication. Frame it as a one-time task with a clear scope: check SPF, DKIM, and DMARC, generate any missing records, add them to DNS, and review the first round of reports.

If you use a managed service provider or IT consultant, ask them whether DMARC is configured for your domain. If it is not, ask them to set it up. This is a standard task that any competent IT provider should be able to handle quickly. If they are unfamiliar with DMARC, point them to our complete guide to DMARC.

If none of the above apply, start with the basics. Even publishing a simple DMARC record at p=none with a reporting address gives you visibility and signals to email providers that you are taking authentication seriously. You can always tighten the policy later when you have more support. The important thing is not to wait for the perfect moment -- start now, even if you start small.

Your donors trust your organisation. Your email should be worthy of that trust. DMARC makes sure that when someone receives a message from your domain, it really came from you -- and that is something every nonprofit deserves, regardless of budget.

Monitor Your New DMARC Record

You have set up DMARC for your nonprofit -- now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.