Why email trust matters as much as the email message
Link Group was Highly Commended in the Cyber Security category at the Housing Technology Awards 2026.
In a sector where trust and communication are paramount, Link Group improved its email security by going beyond compliance. Through a strategic DMARC (domain-based message authentication, reporting & conformance) implementation, the housing provider has not only mitigated phishing and impersonation threats but has also matured its core cyber-security baseline requirements.
This initiative not only aligned with ISO 27001 and Cyber Essentials but also significantly reduced phishing risks, improved email deliverability and elevated our cyber-security posture.
This wasn’t a compliance exercise triggered by audit findings; our DMARC implementation not only protects our digital ecosystem but also demonstrates our commitment to continual cyber-security improvements.
Governance and leadership
We approved the business case to achieve DMARC enforcement focusing on:
- Enhanced brand trust and compliance posture;
- Combating spoofing and phishing attacks targeting internal and external recipients;
- Enhancing email deliverability and domain reputation.
Our senior leaders were engaged early, ensuring that DMARC was treated as a business risk decision rather than a purely technical one. The platform SendMarc was selected for several reasons:
- Operational simplicity and safe enforcement;
- Visibility and risk reduction;
- Blocking impersonation;
- Improvement of brand trust and compliance posture.
Phishing remains a primary attack vector against housing providers. Many organisations don’t enforce DMARC, yet without DMARC enforcement, tenants can’t distinguish real emails from fraudulent ones. Our experience demonstrates that full enforcement is achievable, even in complex, multi-domain environments, and delivers measurable risk reductions.
From theory to enforcement
Centralised DMARC reporting against 15 domains used across six companies in the group gave us our first reliable view of legitimate and illegitimate domain use, enabling confident enforcement and sustained governance oversight.
The success of this project relied on working with a wide range of stakeholders inside and outside Link. The implementation required clear ownership across technical, governance and service delivery teams to ensure that legitimate business communications weren’t disrupted.
The programme focused on getting the fundamentals right – ensuring that every legitimate sender could be authenticated and every illegitimate one blocked.
Monitoring and reporting
Within our monitoring toolset, we tracked our authorised senders’ DMARC compliance during implementation and as we configured DKIM and SPF for each authorised sender, our metrics improved. These metrics were used to provided assurance to the business that all legitimate emails issued using Link domains were authorised and that unauthorised emails were being blocked.
Email security for governance
This implementation provides a practical blueprint for housing providers seeking to mature their cyber-security posture without introducing tenant-facing frictions or service disruptions. Enforcing DMARC is an excellent way to demonstrate how strategic cyber-security can improve operational excellence and public trust. Our actions included validation of SPF flattening, DKIM key rotation and alignment checks.
“Our DMARC implementation with Sendmarc is a testament to Link Group’s commitment to proactive risk management and governance. By aligning our email security controls with ISO 27001 and Cyber Essentials, we’ve not only protected our colleagues, customers and partners, but also demonstrated what mature, enforceable email trust looks like in practice.”
Ken Fox, Group Director of Digital Services, Link Group
Treating email authentication as a standing governance control, rather than a completed technical project, ensures that we can sustain the benefits.
Making trust visible to tenants
Brand indicators for message identification (BIMI) in email clients have also been implemented to further engender trust and visibility. For our tenants, BIMI provides a simple, visual cue that an email can be trusted, without them needing to understand authentication protocols or security warnings.
BIMI works with DKIM, SPF and DMARC protocols to protect our domains from being used by malicious actors to send fraudulent emails. In the illustration below from bimiradar.com, which tracks almost 75 million domains, we can see that on 15 April 2026, only 12 per cent of domains have DMARC reporting enabled and of those, fewer than 0.1 per cent have BIMI with VMC implemented.
Our logo appears right next to our messages (where supported by recipient’s email provider) so that our tenants know that these emails are legitimately from Link Group.
Key measurable outcomes
Deliverability and reputation were improved, with metrics demonstrating that legitimate email delivery improved substantially due to universal DMARC enforcement while spoofing attempts fell significantly. Link has now achieved full DMARC enforcement across all domains as well as implemented BIMI for brand authentication.
Analysis of the primary domains of 130 housing providers in Scotland (excl. Link Group) shows that 28 per cent have no DMARC record, of those with DMARC records 28 per cent were set to ‘none’, 22 per cent to ‘quarantine’, and only 22 per cent were set to the fully-compliant configuration of ‘reject’. No BIMI records were identified within the 130 domains assessed.
For housing providers seeking to balance cyber-security uplift with improved tenant experience, DMARC enforcement along with BIMI represents a rare control that strengthens both.
Continuous improvement
Our DMARC journey exemplifies how strategic cyber-security can drive operational excellence and public trust. This project isn’t just about technology, it’s about protecting people and strengthening the integrity of communications in social housing.
In the future we plan to continue our quarterly reviews of DMARC reports to detect anomalies and maintain our DKIM key-rotation schedule (2048-bit keys) and SPF record optimisation.
Link Group has already engaged with other housing providers to share what we’ve learned and help with practical pathways to DMARC enforcement. As phishing attacks continue to target the sector, collaborative uplift, rather than isolated progress, may ultimately prove to be the most effective defence.
Gareth Renaud is the senior cyber security officer for digital services at Link Group. The housing provider was Highly Commended in the Cyber Security category at the Housing Technology Awards 2026.
