--- title: "Subdomailing: The DMARC risk you might be ignoring | DuoCircle" description: "Subdomailing: The DMARC risk you might be ignoring." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/" --- Quick Answer Subdomailing is subdomain-based email abuse where attackers send authenticated phishing from real, trusted brands. Guardio identified the technique in 2024 across more than 8,000 domains and 13,000 subdomains belonging to companies like MSN, McAfee, eBay, and VMware, with activity dating to 2022\. The attack works by exploiting dangling DNS, abandoned subdomains, expired branded domains referenced by CNAME, or third-party domains still listed in SPF after the vendor relationship ended. Attackers re-register the abandoned name, set up SPF, DKIM, and DMARC for it, and send mail that passes authentication because the parent domain still trusts the orphaned reference. Defenses: audit SPF includes for vendors you no longer use, monitor DNS for dangling CNAMEs and stale records, decommission unused subdomains, and watch DMARC aggregate reports for unfamiliar source IPs aligned to your domain. Subdomailing: The DMARC risk you might be ignoring Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2025/04/Subdomailing-The-DMARC-risk-you-might-be-ignoring.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fsubdomailing-the-dmarc-risk-you-might-be-ignoring%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Subdomailing%3A%20The%20DMARC%20risk%20you%20might%20be%20ignoring&url=undefined%2Fblog%2Fdmarc%2Fsubdomailing-the-dmarc-risk-you-might-be-ignoring%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fsubdomailing-the-dmarc-risk-you-might-be-ignoring%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fsubdomailing-the-dmarc-risk-you-might-be-ignoring%2F&title=Subdomailing%3A%20The%20DMARC%20risk%20you%20might%20be%20ignoring "Share on Reddit") [ ](mailto:?subject=Subdomailing%3A%20The%20DMARC%20risk%20you%20might%20be%20ignoring&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fsubdomailing-the-dmarc-risk-you-might-be-ignoring%2F "Share via Email") ![DMARC](https://media.mailhop.org/duocircle/images/2025/04/smtp-service-3789.jpg) In 2024, Guardio’s **email protection systems** identified unusual patterns in email metadata, related explicitly to SMTP servers and their authentication as legitimate senders. Upon investigation, it was discovered that this campaign has been ongoing since at least 2022 and involves over [8,000 domains](https://labs.guard.io/subdomailing-thousands-of-hijacked-major-brand-subdomains-found-bombarding-users-with-millions-a5e5fb892935) and 13,000 subdomains owned by legitimate companies, including those belonging to MSN, McAfee, eBay, and VMware, which were compromised due to subdomain hijacking. This research led to the coining of a new term, subdomailing. _Subdomailing, which is short for subdomain emailing, is a sophisticated attack technique that works by exploiting security gaps in DMARC_. This tactic enables [threat actors](https://www.cybersecuritydive.com/news/threat-actors-abuse-valid-accounts-crowdstrike/690170/) to send fraudulent, impersonated emails in the **name of reputable organizations**. These emails are sent by compromising unprotected subdomains that pass SPF and DKIM checks (ultimately passing DMARC as well) and appear legitimate to receiving mailboxes. ## How does subdomain hijacking lead to subdomailing attacks? In [subdomain hijacking](https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/), a cybercriminal takes control of a subdomain linked to a real, trusted domain. Once they have control, they are empowered to do anything malicious they want, such as sending phishing emails, spreading malware, tricking recipients into sharing [sensitive details](https://www.ibm.com/think/news/national-public-data-breach-publishes-private-data-billions-us-citizens), etc. [![phishing emails](https://media.mailhop.org/duocircle/images/2025/04/spf-record-9987.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-9987.jpg) _Usually, this happens because some subdomains are inactive or forgotten for a long time_. These often have dangling [DNS records](https://www.cloudflare.com/learning/dns/dns-records/) (basically, broken links to servers), which provide hackers with an easy entry point. Once they hijack the subdomain, they can cause a lot of trouble without being noticed. Such unprotected subdomains allow threat actors to attempt subdomailing and other **forms of subdomain abuse**. ## Security gaps that give way to subdomailing attacks To this point, we know that subdomailing attacks involve exploiting and hijacking unprotected subdomains to send fraudulent emails. Now, let’s see how this hijacking is actually done. ### Takeover of a branded domain In this technique, threat actors look for brand domains that have expired. This usually happens when a [third-party service provider](https://termly.io/legal-dictionary/third-party-service-provider/) or an ad network sets up [CNAME records](https://support.dnsimple.com/articles/cname-record/) pointing to a brand’s domain during some campaign and then later forgets to remove the **CNAME reference**. In such a situation, a dangling DNS record is left behind. A bad actor detects this **security gap and re-registers** the expired branded domain to set up [mail servers](https://whatismyipaddress.com/mail-server) and add SPF, [DKIM](/resources/what-is-dkim), and DMARC records for it. They also create a subdomain that is set to inherit the DMARC configurations set up by the attacker for the main domain. As a result, emails sent through the hijacked subdomain **bypass DMARC checks** and appear legitimate, making them ideal for phishing, spam, or [malware campaigns](https://thehackernews.com/2025/02/5-active-malware-campaigns-in-q1-2025.html). This is the essence of SubdoMailing: abusing subdomain configurations tied to trusted domains to send malicious emails that **pass authentication**. ### Takeover of a domain used in SPF _Domain owners include the sending sources of third-party services in their SPF record_. However, at times, they disassociate with the third-party, but their domain is not removed from their SPF record. This leaves behind a dangling SPF record. A threat actor recognizes this [security gap](https://www.linkedin.com/advice/0/how-do-you-identify-security-gaps-skills-information-security) and registers the abandoned **third-party domain**. Because the original domain still authorizes the abandoned third-party domain, the emails sent by attackers pass the [SPF](/resources/what-is-spf) checks. [![spam](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-2133.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-2133.jpg) ### Registering the domain mentioned in the documentation Often, when **explaining steps in technical guides**, writers use examples of unregistered domains, such as yourdomain.com. Some users with limited technical knowledge misinterpret this and add such a domain to their [SPF record](/resources/spf-records). So, if an attacker registers the example domain (here, yourdomain.com), they can configure it to send phishing emails, leading to subdomailing. ## Preventing subdomailing in 2025 _Subdomailing attacks are possible because of overlooked vulnerabilities and user unawareness_. But if you follow these suggestions, you can surely steer clear of them- ### Timely renewal Don’t let your domains expire because attackers can buy them to send phishing emails on your behalf. Also, the expense of registration and maintenance is much less than that of **cleaning up all references**. [![attacker ](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-9987.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-9987.jpg) ### Proper relinquishing By properly relinquishing the domains, you prevent threat actors from impersonating you or your brand. Here’s how you can do it- - Remove A, MX, TXT, SPF, DKIM, DMARC, and CNAME entries. - _Ensure that no services (such as email or hosting) are still linked_. - Especially remove any email authentication records to break any legacy trust. - Check SPF and DKIM records in any other domains that may have included this domain (e.g., via include:). Remove it from any **third-party tools**, [ESPs](https://www.activecampaign.com/glossary/email-service-provider), or integrations. - If you were using this domain to collect DMARC reports for other domains, make sure those other domains no longer send reports to it. - If feasible, keep the domain but **configure it** to reject all connections, or use it as a “sinkhole” to safely absorb misdirected traffic. This is especially useful for high-profile domains. - For high-risk domains, monitor after relinquishing by using relevant tools to check if the expired domain is re-registered and misused. If you detect [suspicious activity](https://www.securitymagazine.com/articles/96590-godaddy-breach-up-to-12-million-user-records-compromised), report it. [![High-Risk Domains](https://media.mailhop.org/duocircle/images/2025/04/365-to-365-migration-4746.jpg)](https://media.mailhop.org/duocircle/images/2025/04/365-to-365-migration-4746.jpg) ### Monitor domains used by services you rely on _SubdoMailing attacks often target old domains from vendors like payment providers_. Regularly check the main domains of your **third-party services**, especially ones listed in your SPF record, and act quickly if those domains get re-registered or become active again. ## How can DuoCircle help? [DuoCircle](/) comes to the rescue by continuously monitoring your email attack surface and taking care of dangling SPF, DKIM, and [DMARC records](https://dmarcreport.com/dmarc-record/). We protect your domain and corresponding subdomains by discovering and inspecting their DNS, email, and web configurations. **Our experts check** for active services, identify dangling records, and monitor domain expiration to help prevent its abuse. With real-time asset discovery and monitoring, we ensure that you receive timely alerts and insights, allowing you to resolve issues before attackers can exploit them. We also regularly monitor your [DMARC reports](/content/dmarc-report) to gain insights into how your emails are behaving at the recipient’s end and whether someone is sending unsolicited, spoofed messages from your domain. Contact us to **re-evaluate all your sending sources** and maintain the optimal health of your DNS records. ## Topics DKIMDMARCSecurityspfSPF record ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ DMARC 7m Cloudflare’s new SPF, DKIM, and DMARC requirements Jul 18, 2025 ](/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/)[ DMARC 5m Configuring SPF, DKIM, and DMARC for Loops.so: A guide Oct 28, 2025 ](/blog/dmarc/configuring-spf-dkim-and-dmarc-for-loops-so-a-guide/)[ DMARC 6m Dealing with DMARC failures: Here’s how you can fix the errors Apr 4, 2025 ](/blog/dmarc/dealing-with-dmarc-failures-how-to-fix-errors/)[ DMARC 5m DMARC is now mandatory in New Zealand: Here’s what the NZ government expects Jul 9, 2025 ](/blog/dmarc/dmarc-mandatory-new-zealand-nz-government-email-security-requirements/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Subdomailing: The DMARC risk you might be ignoring","description":"Subdomailing: The DMARC risk you might be ignoring.","url":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/","datePublished":"2025-04-22T17:17:15.000Z","dateModified":"2025-04-22T17:23:36.000Z","dateCreated":"2025-04-22T17:17:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, Security, spf, SPF record","wordCount":995,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/smtp-service-3789.jpg","caption":"DMARC","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Subdomailing: The DMARC risk you might be ignoring","item":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Subdomailing: The DMARC risk you might be ignoring","item":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Subdomailing: The DMARC risk you might be ignoring","description":"Subdomailing: The DMARC risk you might be ignoring.","url":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/","datePublished":"2025-04-22T17:17:15.000Z","dateModified":"2025-04-22T17:23:36.000Z","dateCreated":"2025-04-22T17:17:15.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/subdomailing-the-dmarc-risk-you-might-be-ignoring/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, Security, spf, SPF record","wordCount":995,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/smtp-service-3789.jpg","caption":"DMARC","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```