Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of records. These orphaned entries continue to delegate trust on behalf of your company, often necessarily and sometimes at a heightened risk to security

This results in DNS configuration drift—referring to the gradual changes or inconsistencies in DNS settings that occur over time due to manual updates, neglected maintenance, or misconfigurations—leading to significant cybersecurity and wider business risks. Earlier this year, we published our guide to the SubdoMailing campaign, where threat actors were abusing SPF records to authorize the sending of millions of emails disguised as legitimate domains and subdomains. 

In addition to allowing attackers to impersonate your legitimate domains, leftover DNS records can leave you vulnerable to domain takeovers that can be weaponized for a range of attacks including credential theft, phishing, defacement, and malware distribution—all under the guise of your company’s trusted domains.

In this blog, we’ll discuss one particular type of threat arising from unmanaged DNS records: cookie harvesting.

How a single dangling DNS record could lead to major issues

Example.com is a platform made up of several products and features under subdomains that all share the same logged-in cookie—a common yet insecure practice unintentionally facilitated by browser settings.

An attacker notices a subdomain is no longer in use but still has a dangling CNAME pointing to the previously used hosted service. Since this service has yet to implement ownership verification – a common oversight even from the biggest providers –  the attacker reclaims it,  effectively taking over the subdomain.

The attacker then initiates a campaign on social media targeting the platform’s followers, luring them to the compromised subdomain to harvest their logged cookies. Users who are not already logged in are directed to the legitimate login portal. With those cookies, the attacker can now impersonate users on the platform.

Among the affected users is an admin of the platform, granting the attacker full access to all data. The attacker can then sell the data to illegitimate and bad actors, extort the company to keep the breach hidden, or blackmail individual users with kompromat found in the exfiltrated data.

While this may seem like an extreme example, it’s a real threat that happens due to poor domain estate and DNS record management, an often challenging but critical cybersecurity task.

Domain management: A complex process

Before joining Red Sift as a Customer Engineer, Antony served as an Information Security Manager at a company that had accumulated hundreds of domains over years of mergers and acquisitions. Each acquisition brought with it its own unique collection of corporate, product, brand, and marketing domains. Like most companies, all domains were set to auto-renew, but with no regular process to review which domains were still required, the inventory continued to expand unchecked.

One project Antony led was inventorying all of the organization’s domains and DNS records, identifying all assets still in use under those domains, and cleaning up records and domains that were no longer needed.

This process took countless hours of work over six months and involved: 

  • Finding all domains across several registrars,
  • Collecting all DNS zones, 
  • Reviewing each record,
  • Categorizing and prioritizing records,
  • Identifying  responsible contacts as over the years many of the original requestors had since left the company, and
  • Coordinating with stakeholders to confirm which assets could be safely cleaned up or migrated.

How OnDMARC supports DNS and domain management

To streamline the challenge ahead, Antony introduced Red Sift OnDMARC into the company. OnDMARC simplifies the management of DMARC, SPF, and DKIM records,  ensuring email deliverability across the organization. With OnDMARC, Antony was able to easily identify which domains were still being actively used for sending emails, detect the systems used to send those emails, and clean up outdated sources that were no longer needed, rapidly achieving ‘p=reject’ for most of the organization’s domains.

Since then, Red Sift OnDMARC has introduced DNS Guardian which uses Certificate Transparency logs (CT logs) and other proprietary sources to automatically and continuously identify dangling DNS records and hijacked subdomains.

With DNS Guardian, Antony would have been made aware of the highest risk issues immediately, allowing him to focus on remediating critical vulnerabilities as soon as possible, minimizing the risk or impact of potential exploits.

Sign up today to learn more about Red Sift OnDMARC, now with DNS Guardian!

PUBLISHED BY

Red Sift

14 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more