In a world where businesses are increasingly dependent on digital systems and external vendors, the recent cyber attack on Marks & Spencer couldn't have come at a worse time—or been a clearer warning. Over the Easter bank holiday, M&S—one of Britain's most trusted high street names—was hit by hackers who exploited weaknesses in a third-party supplier's systems. The result? Online shopping was brought to a standstill for over three weeks. Personal details of customers were exposed. And the financial hit? Over £40 million a week in lost revenue, according to reports.

At Dmarclytics, we've always said that cybersecurity isn't just your responsibility—it's a shared one. This incident is a textbook case of why that matters.

What Actually Happened?

A hacking group calling itself "DragonForce" gained access to M&S systems via a supplier. It wasn't just a one-off, either. They went on to target Co-op and even attempted a breach on Harrods.

The M&S fallout included:

• A complete freeze on online orders

• Customer data exposure – including names, dates of birth, contact numbers, and previous order details

• A knock to customer trust, which is much harder to rebuild than websites

It just goes to show: even if you've got decent internal protections, if a partner in your supply chain slips up, you're still exposed.

This Is Where DMARC Comes In

Email remains one of the most common entry points for cyber attackers. Often, criminals impersonate trusted brands or suppliers to trick people into handing over sensitive data. That's where DMARC comes into play. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a simple yet powerful protocol that helps:

• Verify that emails are genuinely from you

• Stop spoofed or fraudulent messages from landing in inboxes

• Give you reports on who's trying to pretend to be you

Put simply, if your suppliers and partners had DMARC properly set up, the window for impersonation gets slammed shut.

Key Lessons from the M&S Attack

1. Don’t Just Trust — Verify

   Vet supplier security just like internal systems.

   
   

2. Make DMARC Mandatory:

   Suppliers should meet your email security standards.

   
   

3. Review Regularly:

   Security posture changes over time

Think of it this way: even the strongest front door is useless if someone leaves the side gate wide open.

It’s Not Just Technology — It’s People

At Dmarclytics, we believe good email security isn't just about clever software. It's about culture.

That means:

• Training staff—your team and your suppliers—to spot dodgy emails

• Having open, honest conversations with vendors about expectations

• Making it everyone's responsibility, not just the IT department's

Because the truth is, when something goes wrong, customers don't care whose fault it was. They just know it was your name on the email

Final Thoughts: Don't Wait Until It's Too Late

The M&S attack isn't just a headline—it's a warning. If it can happen to them, it can happen to anyone.

Recommend:

• Get DMARC set up for your own domain

• Speak to your vendors—are they protected too?

• Start making security a conversation, not an afterthought

At Dmarclytics, we're here to help businesses take back control of their email security—before the worst happens. Let's turn this wake-up call into a plan of action. Book a free DMARC assessment, and we'll help you spot the gaps—yours and your partners'.

Because in this game, prevention isn't just cheaper. It's everything.