Are your domains protected from spoofing and phishing attacks?

24 August 2022
3 min Read
Naz Markuta

The UK National Cyber Security Centre recently published a comprehensive guide on tips to protect government domains that don’t send emails from being used to conduct spoofing or phishing attacks. However, as good as the information is, there is always room for improvement…

Protecting Subdomains

The advice does provide a great summary of how to address a spoofing issue that many IT security staff may not have previously thought about. However, in the latter section, it says:

if you want to protect subdomains that send email, you must:

  • use sp=none instead of sp=reject.

We think this bit of advice can be improved upon. The problem is that having sp=none set on your root domain re-enables email spoofing on vulnerable subdomains that do not have a DMARC policy. All the attacker needs to do is setup their own mail server and domain name, find a vulnerable subdomain, and then send a spoofed email by changing the return-path header to that of the vulnerable subdomain.

Example Records

Take the domain for example. It contains the following DMARC and SPF DNS records:

~ dig +short txt

~ dig +short txt
"v=spf1 -all"

This domain does a really good job at preventing spoofed emails using non-existent subdomains, using the np=reject record. For example, contains a DNS record:

~ dig +short txt

However, a genuine subdomain in use, like does not have a DMARC DNS record, which means it is vulnerable to email spoofing, because the domain contains a sp=none policy and this subdomain doesn’t have its own record, as shown by a quick DNS lookup:

~ dig +short txt

Abusing Subdomains

The example below shows a spoofed message from, sent to a Google Mail account. Google displays a via text next to the from address when the domain in the Return-Path address and From address do not match.

That’s a good thing to look out for in general, to help spot suspicious emails.

Taking a closer look at the email headers:

Google mail gives us a PASS for both SPF and DKIM check, since we’ve applied legitimate DNS records for our own domain. But notice that the From address is different to the DKIM (our domain custom ending with .re).


When using the sp=none policy on the root domain, it’s important that subdomains must also have their own DMARC record. Otherwise, it may be vulnerable to direct email spoofing attacks by abusing the return-path header.

Instead of sp=none, use sp=quarantine policy on the root domains to protect subdomains (that exist) that do not have a DMARC record. This way emails are automatically moved to the spam/junk folders when DKIM/SPF checks fail.

Related Blogs
About Naz Markuta
Naz is an OSCP-certified technical cyber security professional with experience in security and penetration testing, and vulnerability research. Naz has found credited vulnerabilities in hardware devices, mobile and web applications. At Red Maple he helped to deliver our cyber security consulting services, until his departure in April 2024. He still blogs on his personal blog.