Subdomailing: The DMARC risk you might be ignoring

by | Apr 22, 2025 | DMARC

DMARC

Subdomailing: The DMARC risk you might be ignoring

by DuoCircle

 

In 2024, Guardio’s email protection systems identified unusual patterns in email metadata, related explicitly to SMTP servers and their authentication as legitimate senders. Upon investigation, it was discovered that this campaign has been ongoing since at least 2022 and involves over 8,000 domains and 13,000 subdomains owned by legitimate companies, including those belonging to MSN, McAfee, eBay, and VMware, which were compromised due to subdomain hijacking. This research led to the coining of a new term—subdomailing. 

Subdomailing, which is short for subdomain emailing, is a sophisticated attack technique that works by exploiting security gaps in DMARC. This tactic enables threat actors to send fraudulent, impersonated emails in the name of reputable organizations. These emails are sent by compromising unprotected subdomains that pass SPF and DKIM checks (ultimately passing DMARC as well) and appear legitimate to receiving mailboxes. 

 

How does subdomain hijacking lead to subdomailing attacks?

In subdomain hijacking, a cybercriminal takes control of a subdomain linked to a real, trusted domain. Once they have control, they are empowered to do anything malicious they want, such as sending phishing emails, spreading malware, tricking recipients into sharing sensitive details, etc. 

 

phishing emails

 

Usually, this happens because some subdomains are inactive or forgotten for a long time. These often have dangling DNS records (basically, broken links to servers), which provide hackers with an easy entry point. Once they hijack the subdomain, they can cause a lot of trouble without being noticed. Such unprotected subdomains allow threat actors to attempt subdomailing and other forms of subdomain abuse

 

Security gaps that give way to subdomailing attacks

To this point, we know that subdomailing attacks involve exploiting and hijacking unprotected subdomains to send fraudulent emails. Now, let’s see how this hijacking is actually done. 

 

Takeover of a branded domain

In this technique, threat actors look for brand domains that have expired. This usually happens when a third-party service provider or an ad network sets up CNAME records pointing to a brand’s domain during some campaign and then later forgets to remove the CNAME reference. In such a situation, a dangling DNS record is left behind. 

A bad actor detects this security gap and re-registers the expired branded domain to set up mail servers and add SPF, DKIM, and DMARC records for it. They also create a subdomain that is set to inherit the DMARC configurations set up by the attacker for the main domain. 

 

 

As a result, emails sent through the hijacked subdomain bypass DMARC checks and appear legitimate—making them ideal for phishing, spam, or malware campaigns

This is the essence of SubdoMailing: abusing subdomain configurations tied to trusted domains to send malicious emails that pass authentication.

 

Takeover of a domain used in SPF

Domain owners include the sending sources of third-party services in their SPF record. However, at times, they disassociate with the third-party, but their domain is not removed from their SPF record. This leaves behind a dangling SPF record. A threat actor recognizes this security gap and registers the abandoned third-party domain.

Because the original domain still authorizes the abandoned third-party domain, the emails sent by attackers pass the SPF checks. 

 

spam

 

Registering the domain mentioned in the documentation

Often, when explaining steps in technical guides, writers use examples of unregistered domains, such as yourdomain.com. Some users with limited technical knowledge misinterpret this and add such a domain to their SPF record. So, if an attacker registers the example domain (here, yourdomain.com), they can configure it to send phishing emails, leading to subdomailing.

 

Preventing subdomailing in 2025

Subdomailing attacks are possible because of overlooked vulnerabilities and user unawareness. But if you follow these suggestions, you can surely steer clear of them-

 

Timely renewal

Don’t let your domains expire because attackers can buy them to send phishing emails on your behalf. Also, the expense of registration and maintenance is much less than that of cleaning up all references.

 

attacker

 

Proper relinquishing

By properly relinquishing the domains, you prevent threat actors from impersonating you or your brand. Here’s how you can do it-

  • Remove A, MX, TXT, SPF, DKIM, DMARC, and CNAME entries.
  • Ensure that no services (such as email or hosting) are still linked.
  • Especially remove any email authentication records to break any legacy trust.
  • Check SPF and DKIM records in any other domains that may have included this domain (e.g., via include:). Remove it from any third-party tools, ESPs, or integrations.
  • If you were using this domain to collect DMARC reports for other domains, make sure those other domains no longer send reports to it.
  • If feasible, keep the domain but configure it to reject all connections, or use it as a “sinkhole” to safely absorb misdirected traffic. This is especially useful for high-profile domains.
  • For high-risk domains, monitor after relinquishing by using relevant tools to check if the expired domain is re-registered and misused. If you detect suspicious activity, report it. 

 

High-Risk Domains

 

Monitor domains used by services you rely on

SubdoMailing attacks often target old domains from vendors like payment providers. Regularly check the main domains of your third-party services—especially ones listed in your SPF record—and act quickly if those domains get re-registered or become active again.

 

How can DuoCircle help?

DuoCircle comes to the rescue by continuously monitoring your email attack surface and taking care of dangling SPF, DKIM, and DMARC records. We protect your domain and corresponding subdomains by discovering and inspecting their DNS, email, and web configurations. Our experts check for active services, identify dangling records, and monitor domain expiration to help prevent its abuse. With real-time asset discovery and monitoring, we ensure that you receive timely alerts and insights, allowing you to resolve issues before attackers can exploit them.

We also regularly monitor your DMARC reports to gain insights into how your emails are behaving at the recipient’s end and whether someone is sending unsolicited, spoofed messages from your domain. Contact us to re-evaluate all your sending sources and maintain the optimal health of your DNS records. 

 

Pin It on Pinterest

Share This