Email Domain Spoofing & DMARC
SPF and DKIM had gapsβno alignment requirement, no policy enforcement. DMARC ties them together, requiring the visible From domain to match and telling receivers what to do on failure.
MITRE ATT&CK: T1566.001Timeline: The Cat and Mouse
2007 β Attack emerges β 2012 β Industry responds β 2015 β Attackers adapt β Present
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| ATTACK | 2007-2011 | SPF/DKIM deployed but attackers exploit alignment gaps and no policy |
| Β | 2010 | PayPal, Google, Microsoft see massive spoofing despite SPF/DKIM |
| RESPONSE | 2012 | DMARC consortium formed; specification published |
| Β | 2015 | DMARC becomes RFC 7489 |
| ADOPTION | 2018 | Government mandates (UK, US .gov) drive adoption |
| Β | 2024 | Gmail/Yahoo require DMARC for bulk senders |
| ADAPTATION | Present | Attackers pivot to cousin domains, display name abuse |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 2012 | DMARC specification published | PayPal, Google, Microsoft, Yahoo consortium releases DMARC | DMARC.org |
| 2015 | RFC 7489 published | DMARC becomes IETF standard | RFC 7489 |
| 2017 | UK government mandate | All .gov.uk domains must have DMARC p=reject | NCSC Guidance |
| 2018 | US BOD 18-01 | DHS requires DMARC for federal agencies | CISA BOD 18-01 |
| Feb 2024 | Gmail/Yahoo requirements | Bulk senders must have DMARC; accelerates adoption | Google Requirements |
| 2024 | BIMI adoption grows | Brand logos for DMARC-passing domains | BIMI Group |
Overview
SPF validated envelope senders. DKIM validated message integrity. But neither required the authenticated domain to match what users see in the From: header, and neither told receivers what to do on failure. DMARC closes these gaps by requiring alignment between authenticated domains and the visible sender, plus specifying a policy for handling failures.
The Attack
The Alignment Gap
Before DMARC, this email would pass both SPF and DKIM:
MAIL FROM: <bounce@attacker.com> β SPF passes (attacker's domain)
DKIM-Signature: d=attacker.com; ... β DKIM passes (attacker's signature)
From: ceo@bigbank.com β User sees this (spoofed!)
Both authentication mechanisms pass, but neither validates that the visible From: header is legitimate. The user sees ceo@bigbank.com and trusts it.
The Policy Gap
Even when SPF or DKIM failed, receivers had no guidance:
- Should I reject the message?
- Should I quarantine it?
- Should I accept it and hope for the best?
Without policy, most receivers accepted failures to avoid blocking legitimate mail. Attackers exploited this permissiveness.
Real-World Attack Patterns
CEO Fraud / BEC:
Envelope: bounce@randomdomain.com (SPF pass)
DKIM: d=randomdomain.com (DKIM pass)
From: CEO Name <ceo@yourcompany.com> (Spoofed)
Subject: Urgent - Wire Transfer Needed
Vendor Impersonation:
Envelope: notification@attacker.com
From: accounts@trustedvendor.com
Subject: Invoice #12345 - Payment Required
Attachment: invoice.pdf (malware)
Internal Phishing:
Envelope: alerts@evilsite.com
From: IT Support <support@yourcompany.com>
Subject: Password Expires in 24 Hours
Body: Click here to reset...
How DMARC Works
The Defense Mechanism
DMARC adds three critical components:
- Alignment β Authenticated domain must match
From:header domain - Policy β Domain owner specifies what to do on failure
- Reporting β Receivers send reports back to domain owner
DMARC Record Anatomy
Published as DNS TXT record at _dmarc.example.com:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; adkim=s; aspf=r
| Tag | Meaning |
|---|---|
v=DMARC1 |
DMARC version |
p=reject |
Policy: reject failures |
rua= |
Aggregate report destination |
ruf= |
Forensic report destination |
adkim=s |
DKIM alignment: strict (exact domain match) |
aspf=r |
SPF alignment: relaxed (subdomain allowed) |
Policy Options
| Policy | Action | Use Case |
|---|---|---|
p=none |
Monitor only, donβt enforce | Initial deployment, learning |
p=quarantine |
Send to spam/junk | Transitional enforcement |
p=reject |
Block the message | Full protection |
Alignment Explained
Relaxed Alignment (default):
From: user@mail.example.com- SPF/DKIM domain:
example.com - Result: Pass (organizational domain matches)
Strict Alignment:
From: user@mail.example.com- SPF/DKIM domain:
example.com - Result: Fail (exact domain doesnβt match)
The Full Authentication Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Incoming Email β
β Envelope: bounce@mail.example.com β
β DKIM: d=example.com β
β From: user@example.com β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. SPF Check β
β Domain: mail.example.com β
β Result: PASS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. DKIM Check β
β Signing Domain: example.com β
β Result: PASS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. DMARC Alignment Check β
β From Domain: example.com β
β SPF Aligned? mail.example.com β example.com (YES) β
β DKIM Aligned? example.com β example.com (YES) β
β Result: PASS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 4. Apply Policy β
β DMARC Result: PASS β
β Action: DELIVER β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DMARC Failure Example
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Spoofed Email β
β Envelope: attacker@evil.com β
β DKIM: d=evil.com β
β From: ceo@bigbank.com β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. SPF Check: evil.com β PASS β
β 2. DKIM Check: d=evil.com β PASS β
β 3. DMARC Alignment: β
β From: bigbank.com β
β SPF domain: evil.com β NOT ALIGNED β
β DKIM domain: evil.com β NOT ALIGNED β
β Result: FAIL β
β 4. Policy (bigbank.com): p=reject β
β Action: REJECT β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker Adaptation
Post-DMARC Attack Vectors
1. Cousin Domains (Lookalikes)
DMARC protects bigbank.com but not similar domains:
bigb4nk.comβ Character substitutionbigbank-secure.comβ Added wordsbigbank.coβ Different TLDbΓgbank.comβ Homograph (Unicode)
Attackers register these, set up their own SPF/DKIM/DMARC, and send authenticated spoofs.
2. Display Name Abuse
DMARC doesnβt validate display names:
From: "ceo@bigbank.com" <random@attacker.com>
The actual address is attacker.com (passes DMARC for attackerβs domain), but users see βceo@bigbank.comβ in some email clients.
3. Subdomain Exploitation
If bigbank.com has p=reject but doesnβt have records for subdomains:
From: ceo@mail.bigbank.com
May not be covered if subdomain policy (sp=) isnβt set.
4. Compromised Third Parties
If your domain authorizes a third-party sender (newsletter service, CRM) and that service is compromised, attackers can send authenticated email as you.
5. p=none Exploitation
Many domains deploy DMARC with p=none for monitoring and never upgrade to enforcement. Attackers check DMARC records before spoofing:
dig +short TXT _dmarc.target.com
# v=DMARC1; p=none; ... β No enforcement, safe to spoof
Current State
Status: Active Defense (but not complete)
DMARC at p=reject effectively prevents direct domain spoofing. However:
| Protected | Not Protected |
|---|---|
| Direct spoofing of your domain | Cousin/lookalike domains |
| Email claiming to be from you | Display name abuse |
| Unauthorized use of your domain | Compromised authorized senders |
| Β | Domains with p=none |
2024 Gmail/Yahoo Requirements
Major providers now require DMARC for bulk senders:
- Must have DMARC record (at minimum
p=none) - SPF and DKIM must pass
- From header must align
- Easy unsubscribe required
This has accelerated DMARC adoption significantly.
Detection Guidance
DMARC Report Analysis
Aggregate reports (RUA) show authentication results for your domain:
<record>
<source_ip>198.51.100.5</source_ip>
<count>1000</count>
<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
<identifiers>
<header_from>yourdomain.com</header_from>
</identifiers>
</record>
This shows someone trying to spoof your domain from IP 198.51.100.5βinvestigate.
What to Monitor
- Legitimate failures β Your own systems failing DMARC (misconfiguration)
- Spoofing attempts β External IPs failing DMARC for your domain
- Volume spikes β Sudden increase in failures may indicate active campaign
- New sources β Unknown IPs attempting to send as you
DMARC Record Auditing
Check your DMARC configuration:
dig +short TXT _dmarc.yourdomain.com
Common issues:
p=nonedeployed and never upgraded- Missing subdomain policy (
sp=) - Report addresses that donβt exist or arenβt monitored
- Overly relaxed alignment (
adkim=r; aspf=r) when strict would work
Recommended Implementation Path
1. Deploy p=none
β
2. Monitor reports for 2-4 weeks
β
3. Fix legitimate authentication failures
β
4. Move to p=quarantine
β
5. Monitor for false positives
β
6. Move to p=reject
β
7. Maintain and monitor ongoing
Defense in Depth
DMARC is essential but should be combined with:
- User training β Recognize cousin domains and display name tricks
- Lookalike domain monitoring β Alert on registration of similar domains
- Email security gateways β Additional content/behavioral analysis
- BIMI β Visual verification for authenticated senders
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| DMARC (RFC 7489) | 2015 | Unifies SPF/DKIM with alignment requirements and policy enforcement |
| Gmail/Yahoo DMARC Requirements | 2024 | Bulk senders must have DMARC; accelerates adoption |
| BIMI (Brand Indicators) | 2021+ | Verified logos for DMARC-passing domains; visual trust indicator |