Bogus Subdomains

Technical Help
1

What action do i take on bogus subdomains? There is only one top level domain that sends mail for our organization (mydomain). Each week i see a bunch of bogus subdomains appear in my source viewer list, such as:
ffvcssaq.mydomain.com
z8s4qqa.mydomain.com
et cetera

Is the correct action to delete them as they appear?

2

Hi Christinak, welcome to the forum

Well, it depends:

  • If you’re confident these mails are not legitimate, then never mind. Whoever sends them will probably stop as you move to p=reject; or sp=reject;
  • If you’re not, then investigate and instruct the responsible sysadmin(s) to use your company’s authorized mail services, or to document and seek approval of sending on their own. When their mail flow is properly documented, it can be authorized using SPF and/or DKIM.

Best,
Niels

3

Hi,

Thanks - Our SPF, DKIM and DMARC policies are all on-point, rejecting 100% of mail not authorized by spf record, and we already utilize sp=reject switch. However i recently received an email authentication deployment change notification…
"The following new issues have been detected:

So is that where i use the mechanism in the Domain Overview section to delete the bogus subdomains?

4

Why would you delete those bogus subdomains?

IMO, if traffic is legit you should make sure it passes DMARC properly: Identify the source, and make sure the sender is always using the correct return-path.
If the traffic is NOT legit, then someone is spoofing/abusing your domain, and you can see their appearance in the domain overview as testimony that your DMARC efforts are paying off. :wink:

Forensic reports (ruf=) can sometimes help identify sender and recipient, but they may contain sensitive/confidential information that must be handled with caution.

5

The purpose of seeing them was unclear to me; thank you, now i understand that non-legit traffic demonstrates a successful DMARC deployment. Yes, DMARC is working well - i am happy i took the time to set it all up. :smiley: