DMARC Alignment Gaps

Timeline: The Cat and Mouse

2012 ← DMARC deployed → 2015 ← Gaps discovered → 2021 ← Exploitation continues → Present

The Evolution

Key Events with Sources

Overview

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together, requiring at least one to “align” with the From header domain. However, implementation gaps in subdomain handling, relaxed vs strict alignment, and organizational misconfigurations create exploitable weaknesses.

The Attack

DMARC Alignment Explained

DMARC requires either:

• SPF alignment: The MAIL FROM domain matches the From: header domain
• DKIM alignment: The d= domain in the DKIM signature matches the From: header domain

From: security@bigbank.com              ← What user sees
MAIL FROM: bounce@bigbank.com           ← SPF checks this
DKIM d=bigbank.com                      ← DKIM signs with this

If either SPF or DKIM aligns with "bigbank.com" → DMARC passes

Alignment Modes

Relaxed alignment example:

From: security@bigbank.com
DKIM d=mail.bigbank.com                 ← Subdomain

Relaxed: mail.bigbank.com ≈ bigbank.com → PASS
Strict:  mail.bigbank.com ≠ bigbank.com → FAIL

Subdomain Policy Gaps

The sp= Tag Problem:

DMARC records can specify subdomain policy with sp=:

_dmarc.bigbank.com: v=DMARC1; p=reject; sp=none

This says:

• p=reject — Reject spoofed mail from bigbank.com
• sp=none — Do nothing for subdomains like mail.bigbank.com

Attackers exploit this:

From: security@anything.bigbank.com     ← Spoofed subdomain
                                        ← sp=none means no enforcement!

Missing sp= Tag:

If sp= is not specified, subdomains inherit the parent policy. But many admins don’t realize this and leave subdomains unprotected during DMARC rollout.

Subdomain Takeover + DMARC

If an organization has:

1. Dangling DNS records pointing to unclaimed resources
2. DMARC with relaxed alignment

Attackers can:

1. Claim the abandoned subdomain (e.g., old-campaign.bigbank.com)
2. Set up mail server with valid SPF/DKIM for that subdomain
3. Send mail that passes DMARC due to relaxed alignment

From: security@bigbank.com
DKIM d=old-campaign.bigbank.com         ← Attacker controls this subdomain

Relaxed alignment: old-campaign.bigbank.com ≈ bigbank.com → PASS

DMARC Record Misconfigurations

Common Mistakes:

# p=none — Monitoring only, no enforcement
v=DMARC1; p=none; rua=mailto:dmarc@company.com

# pct=0 — Policy applies to 0% of mail
v=DMARC1; p=reject; pct=0

# Missing record entirely
# (No _dmarc.domain.com TXT record)

Exploitation:

• p=none: Attackers spoof freely, org just gets reports
• pct=0: Policy never enforced despite appearing strong
• No record: No DMARC protection at all

Raw Email Headers (DMARC Gap Exploitation)

Exploiting relaxed alignment with a subdomain the attacker controls:

Return-Path: <bounce@compromised-sub.bigbank.com>
Received: from mail.attacker.com (mail.attacker.com [198.51.100.99])
        by mx.victim.com (Postfix) with ESMTPS id DMARC01
        for <target@victim.com>; Tue, 28 Jan 2025 09:30:15 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=compromised-sub.bigbank.com; s=attacker;
        h=from:to:subject:date;
        bh=subdomain123...;
        b=attackersig456...
Authentication-Results: mx.victim.com;
        dkim=pass header.d=compromised-sub.bigbank.com;
        spf=pass smtp.mailfrom=bounce@compromised-sub.bigbank.com;
        dmarc=pass (p=REJECT) header.from=bigbank.com
From: "BigBank Security" <security@bigbank.com>
To: target@victim.com
Subject: Urgent: Verify Your Account
Date: Tue, 28 Jan 2025 09:30:10 -0500
Message-ID: <gap-exploit-001@attacker.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8

Please click here to verify your account...

Key observations:

• dkim=pass for compromised-sub.bigbank.com (attacker controls)
• dmarc=pass because relaxed alignment matches organizational domain
• From: header shows security@bigbank.com (what user sees)
• Attacker only needed control of one subdomain to spoof the parent

Defenses

Strict Alignment

Configure DMARC for strict alignment:

v=DMARC1; p=reject; aspf=s; adkim=s

• aspf=s — Strict SPF alignment
• adkim=s — Strict DKIM alignment

Explicit Subdomain Policy

Always specify subdomain policy:

v=DMARC1; p=reject; sp=reject

Subdomain Inventory

Maintain inventory of all subdomains:

• Monitor for dangling DNS records
• Remove unused subdomain entries
• Audit third-party services using subdomains

DMARC Reporting Analysis

Analyze aggregate reports (RUA) for:

• Authentication failures from unexpected sources
• Subdomain usage you don’t recognize
• Gradual policy violations indicating testing

Current State

Status: Active

DMARC alignment gaps remain exploitable:

Detection Guidance

DMARC Record Audit

# Check DMARC record
dig +short TXT _dmarc.domain.com

# Look for:
# - p=none (no enforcement)
# - Missing sp= (subdomain gap)
# - pct<100 (partial enforcement)
# - aspf=r or adkim=r (relaxed alignment)

Email Header Analysis

Flag emails where:

dmarc.header.from.domain != dkim.domain
AND dmarc.result = pass
AND dkim.domain MATCHES subdomain pattern

Subdomain Monitoring

• Alert on new subdomains sending mail
• Monitor for subdomain takeover indicators
• Track third-party services claiming subdomains