Subdomains have been discovered! Should I do anything about it?

The Dmarcian Domain Overview is reporting a few subdomains in the wild that were clearly created by bad actors. Pretty cool! The Domain Overview does not, however, give me any guidance on what can or should be done about it. Should something be done about it? My policy is at R100 for all my domains.

You could delete them if you want, but there really is nothing that you need to do based on the policy that you described. Your REJECT policy already did the heavy lifting for you.

1 Like

Make sure you are not inviting abuse by having a weak subdomain policy, e.g. sp=none. IMO sp should never be weaker than your main or general policy (p).
If you wish to allow a weak policy for a subdomain then you should create a separate DMARC record for that.


Using wildcard DNS, you can set up SPF and DKIM policies that indicate the nonexistent subdomains will never be used in any legitimate email.

1 Like

Well, while the Cloudflare link contains good advice for signalling that a domain is not used for mail at all it does nothing specifically to prevent non-existing subdomains from abuse. Please correct me if I’m wrong.

Do you know how to create wildcard DNS records? Those will cover any nonexistent subdomain. Existing subdomains will need explicit records as they cannot be covered by the wildcard records.

I do.
Cloudflare does not touch on it, though. While there could be a use case for a wildcard SPF record for invalidating the domain’s normal mail servers for subdomains, wildcards cannot be used with DKIM records as the ‘*’ for the unused subdomain would not be the first character of the DKIM DNS record ([selector]._domain key.[sub].domain.TLD)

You are correct in your observation that not every one of those protections is applicable to nonexistent subdomains. How much does it matter, though? With no DKIM records available in a nonexistent subdomain, any attempt to validate a forged DKIM signature will fail in the absence of a public key.