Tech Insight : DMARC Diligence (Part 2) : The Forgotten Domains : A Hidden Vulnerability

Written by: Paul |

In this second article of the “DMARC Diligence” series, we shift our focus towards securing non-sending or “forgotten” domains and outline a strategy for their protection through DMARC implementation. 

Recap Of Part 1 

You may remember that in part one of this DMARC Due Diligence series of articles we laid the groundwork by exploring the essentials of the email authentication protocols SPF, DKIM, and DMARC. We learned how these mechanisms work in tandem to validate email sources, ensuring that only authenticated emails reach their intended destinations. The primary takeaway was the importance of implementing these protocols to shield email communications from the prevalent threats of phishing and spoofing attacks. 

Here, in Part Two of the three-part series, we take a look at some key issues around securing non-sending or “forgotten” domains. 

The Risk Of Non-Sending Domains 

Businesses often accumulate multiple domain names, yet routinely only a select few which are actively used for emails. This leaves a number of domains essentially dormant, with no emails being sent from them. These can be referred to as non-sending or “forgotten” domains. 

However, their existence and registration on servers mean that even if they are dormant/forgotten, they’re still viable for exploitation and make ideal targets for cybercriminals to conduct spoofing and phishing attacks under the guise of your reputable name. 

How Big Is The Problem? 

The problem of dormant or forgotten domains and their exploitation for email spoofing is significant and aligns with broader issues of email server misconfiguration and domain spoofing that impact businesses globally. For example, a KnowBe4 study (which used a domain spoof test) discovered that 82 per cent of email servers are misconfigured, thereby potentially enabling domain spoofing. Domain spoofing extends beyond email to include website spoofing, where fraudsters profit from the reputation of reputable domains, costing advertisers up to $1 million in lost revenue per month.  

Recent Examples  

Examples of non-sending or “forgotten” domains being exploited by cyber-criminals include: 

– As reported by Krebs back in 2020, attackers exploiting an authentication weakness at GoDaddy (the world’s largest domain name registrar) by using legitimate but inactive domains to distribute malware, including a potent strain of ransomware named Gand Crab. Despite efforts to fix the vulnerability and clean up affected domains, new campaigns exploiting these dormant domains emerged, thereby highlighting the ongoing challenge of securing unused domains against cyber exploitation. 

– Just this month, Cyber Security Company, Guardio Labs reported uncovering what they referred to as a major “SubdoMailing” campaign which involved the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily. The big brands whose subdomains they reported were being exploited in the campaign included MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.  

The DMARC Solution For Non-Sending/Forgotten Domains 

As highlighted in the previous article in this series, DMARC offers a way to authenticate mail and specify how unauthenticated emails should be treated. However, its real power lies in its ability to be applied to all your domains, active or dormant. This means that by configuring DMARC records for your non-sending domains, you can effectively seal off a potential backdoor for attackers, preventing them from masquerading as your business in malicious campaigns. 

Step-by-Step DMARC Implementation For Non-Sending Domains 

With this in mind, here’s an example of a step-by-step strategy for businesses with multiple domains for using DMARC to close the backdoor vulnerability that non-sending/forgotten domains provide:

– Conduct a comprehensive domain audit to identify all the domains your business owns. Next, distinguish between those used for sending emails and those that are not.

– For your non-sending domains, establish DMARC records in the DNS with an initial policy of p=none. This monitoring mode allows you to collect data on how these domains might be exploited without impacting legitimate email traffic. 

– Analyse DMARC reports. Regularly reviewing the DMARC reports to identify unauthorised usage of your non-sending domains can provide insights to guide you in tightening the DMARC policy to more restrictive settings (p=quarantine or p=reject), effectively blocking malicious emails. 

– Ongoing vigilance. With the cyber threat landscape perpetually evolving, getting into the habit of continually monitoring your DMARC reports and adjusting your policies as needed can help maintain robust protection against emerging threats. 

What Does This Mean For Your Business? 

Acknowledging and securing your non-sending/forgotten domains with DMARC is now not just a technical safeguard but is now an essential strategy in fortifying your business’s cybersecurity posture. With email fraud now rampant, overlooking these domains could leave your business susceptible to cyberattacks, compromising your integrity and the trust you’ve built with your clients and partners. 

Also, as regulations around data protection become increasingly stringent, ensuring that all your domains are shielded with DMARC demonstrates a proactive stance on cybersecurity. This not only helps compliance with laws like GDPR but also positions your business as a trustworthy and secure entity in the digital marketplace. 

The protection of non-sending domains via DMARC implementation, therefore, is a crucial step in closing the security gaps within your business’s digital domain strategy.

Next Week…

Next week, in the last of this three-article series, we’ll be focusing on a detailed step-by-step guide for DMARC implementation, the crucial role of monitoring and reporting for effective DMARC management, strategies for optimising DMARC policies, and preparing for future email security challenges. The hope is that this series will provide UK businesses with insights into maximising email security, enhancing brand protection, and ensuring compliance with evolving regulations.