Subdomains have been discovered! Should I do anything about it?

The Dmarcian Domain Overview is reporting a few subdomains in the wild that were clearly created by bad actors. Pretty cool! The Domain Overview does not, however, give me any guidance on what can or should be done about it. Should something be done about it? My policy is at R100 for all my domains.

You could delete them if you want, but there really is nothing that you need to do based on the policy that you described. Your REJECT policy already did the heavy lifting for you.

1 Like

Make sure you are not inviting abuse by having a weak subdomain policy, e.g. sp=none. IMO sp should never be weaker than your main or general policy (p).
If you wish to allow a weak policy for a subdomain then you should create a separate DMARC record for that.

2 Likes

Using wildcard DNS, you can set up SPF and DKIM policies that indicate the nonexistent subdomains will never be used in any legitimate email.

https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/

1 Like

Well, while the Cloudflare link contains good advice for signalling that a domain is not used for mail at all it does nothing specifically to prevent non-existing subdomains from abuse. Please correct me if I’m wrong.

Do you know how to create wildcard DNS records? Those will cover any nonexistent subdomain. Existing subdomains will need explicit records as they cannot be covered by the wildcard records.

I do.
Cloudflare does not touch on it, though. While there could be a use case for a wildcard SPF record for invalidating the domain’s normal mail servers for subdomains, wildcards cannot be used with DKIM records as the ‘*’ for the unused subdomain would not be the first character of the DKIM DNS record ([selector]._domain key.[sub].domain.TLD)

You are correct in your observation that not every one of those protections is applicable to nonexistent subdomains. How much does it matter, though? With no DKIM records available in a nonexistent subdomain, any attempt to validate a forged DKIM signature will fail in the absence of a public key.

Unfortunately, I don’t think it’s that cool. I get 1000’s reports from existing and non-existing subdomains which counts towards my usage volume. Over 8000 nxdomain alone :frowning:
I also have 100% reject, but my subdomains are still used for spoofing.
I don’t even send 10 emails/month and use my domain mainly just to receive log mail.

Hi for-privacy.net

Domains for which traffic is not deemed DMARC capable would not be considered towards your account usage. We at dmarcian would never intend to bill for unauthorized use of your domain. If you believe this somehow occurred, please contact billing@dmarcian.com. We will be happy to review your account and ensure you are being billed according to legitimate usage.

2 Likes

OK, thanks.
I see now that it is explained in the info at: Active Domains and Inactive Domains. :sweat_smile:

An additional DMARC flag instead of sp=reject
sp=reject, rua=0, ruf=0; would be good.