Blog
DMARC, deeply.
Vulnerability research, enforcement realities, and the things receivers don't tell you. From the team behind dmarc.cc.
-
The New DMARC Standard (RFC 9989): What Changed and What You Need to Update
RFC 9989 is the first DMARC update since 2015. Here's every change to the spec, an old-vs-new record comparison, and what to update in your DMARC record.
Read post → -
When DMARC Documentation Becomes a Vulnerability: The Cloudflare third-party-example.com Finding
Cloudflare's DMARC documentation referenced an unregistered domain as the RUA address. Real organizations copy-pasted it into production. We registered it and started receiving their aggregate reports.
Read post → -
The Unregistered RUA Domain: A Class of DMARC Vulnerability Hiding in Plain Sight
A subsidiary of a Belgian hosting provider had a DMARC record pointing aggregate reports to a domain that didn't exist. We registered it, and the reports started flowing.
Read post → -
When DMARC Passes and the Email Is Still a Scam: The Gmail API Spoof
A scam message arrived in a victim's inbox from `simrannnnnn@google.com`. DMARC passed. DKIM was valid, signed by Google. SPF authenticated. The message was sent through the Gmail API from a Google Cloud project. Every authentication layer worked exactly as designed.
Read post → -
DMARC p=reject Is a Request, Not a Command: Why Receiver Compliance Is Voluntary
A spoofed email targeting a Japanese recipient passed through So-Net — owned by Sony — even though the sender domain was published at p=reject. The bounce came back, but not for the reason you'd expect.
Read post → -
Subdomain Takeovers and Your DMARC Policy: When Dangling CNAMEs Become Email Spoofing Vectors
A coordinated campaign hijacked subdomains at MIT, Harvard, Stanford, and 30+ other US universities. The same dangling DNS records that let attackers serve spam content can let them bypass your enforced DMARC policy.
Read post → -
Microsoft 365 Groups Bypass DMARC at p=reject: How compauth=none reason=451 Works
Your domain is at p=reject. Defender is honoring DMARC. A spoofed message addressed to a Microsoft 365 Group still lands in your users' inboxes — and Microsoft generates no DMARC report for the event.
Read post → -
When Your Registrar Edits Your DMARC: The GoDaddy DMARC Injection Pattern
GoDaddy began silently publishing DMARC records — with their own RUA address — on customer domains, with no notification and no opt-out at signup. Some customers later found additional records they hadn't authorized.
Read post → -
Why Mailchimp's SPF Include Is a Spoofing Liability: The ESP Authentication Pattern
Your root domain SPF authorizes `servers.mcsv.net`. Your root domain has never sent mail through Mailchimp. If any IP in that include range is compromised, attackers can spoof you — and your DMARC at p=reject will pass.
Read post → -
When DMARC Enforcement Breaks the Business: The Change Management Lessons of a p=reject Rollout
A parent company enforced p=reject overnight to reduce spoofing. The next day, hundreds of subsidiary teams couldn't send mail, and millions of dollars in active marketing spend were locked into platforms that no longer worked.
Read post → -
Reading DMARC Reports Without Going Broke: A Practical Guide for Small Teams
A volunteer org admin told us their DMARC reports were "gobbledygook" and they couldn't afford a paid analyzer. We pointed them at URIports at $1 per domain per month. This is the longer answer for everyone in the same position.
Read post →