How Can Spoofing Emails Pass SPF and DMARC with a ‘Reject’ Policy in Place?

Email spoofing can occasionally bypass DMARC protections, even when a reject policy is implemented. Let’s explore how this happens and some of the reasons behind it.
Your DNS settings play a pivotal role in securing your email infrastructure. Neglecting DNS maintenance can expose your organization to serious vulnerabilities, even if you have robust authentication policies like DMARC in place. Outdated or misconfigured DNS records can become a gateway for attackers, allowing them to bypass security measures and compromise your domain.
In the realm of email security, regular DNS maintenance is an often-overlooked yet critical task.

Here are the reasons email spoofing can bypass DMARC protections, even with a reject policy in place:

  • Outdated or Misconfigured DNS Records: If DNS records, such as CNAME or SPF, are outdated or incorrectly configured, attackers can exploit these vulnerabilities to bypass security measures.
  • Third-Party Domain Compromise: Attackers who acquire a third-party domain linked in your DNS records can modify SPF records to whitelist their own servers. This allows them to send spoofed emails that pass SPF checks, even though they’re not legitimate.
  • Lack of Monitoring of DMARC Reports: Without regularly reviewing DMARC Aggregate reports, suspicious activities, like spoofing attempts, may go unnoticed. This delay can allow spoofed emails to be delivered until the issue is identified and corrected.

Let's examine an example of a spoofing attempt that was successfully delivered to the intended recipients, despite the domain having a "reject" policy in place:

A subdomain "servicelayer".theirdomain.com has an old CNAME record pointing to a third-party domain. Unfortunately, that domain had been acquired by a hacker, who cleverly updated its SPF record to whitelist their own servers. As a result, the hacker was able to send spoofed emails that appeared to come from the customer’s subdomain, and the emails passed SPF authentication checks.
art2
art

After the vulnerability was identified through DMARC Aggregate reports, the outdated CNAME record for the subdomain was located and removed, leading to the rejection of such emails based on the "reject" DMARC policy.
art3

This underscores the importance of the following practices:

1. Regularly Auditing DNS Records

Outdated or unnecessary DNS records, especially CNAMEs, can create significant vulnerabilities. Conduct periodic audits of your DNS settings to identify and remove records that are no longer relevant or that point to untrusted third parties.

2. Monitoring DMARC Reports

DMARC reports provide invaluable insights into your email traffic. They can help you identify suspicious activity, such as spoofing attempts, and take corrective action promptly. Without DMARC monitoring, critical issues might go unnoticed, allowing attackers to exploit them.

Feel free to contact EasyDMARC support team at support@easydmarc.com, if you need any assistance.