DNS is the foundation for DMARC: Understanding the overlap

When the threat of SubdoMailing was newly discovered, we wrote a comprehensive guide and worked to get our impacted customers remediated within 72 hours of the discovery being published by Guardio Labs.

We are proud of what we accomplished, but through the process, we also discovered that many people don’t fully understand the overlap of DMARC and DNS. Because of the widespread nature of SubdoMailing, it is critical that security teams understand how these two protocols are related to make sure their domain is protected.

Here, we aim to give a non-technical overview of DNS and DMARC to better illustrate the interdependencies of these core pillars of email security using a castle metaphor.

DNS is the foundation for DMARC

Domains, subdomains, DNS and DMARC are all deeply interconnected. Let’s first discuss each one of these topics independently, and then cover the overlap.

Domains and Subdomains

Imagine your company website is a castle, and your domain name is the main gate. The smaller buildings and courtyards outside the main gate are your subdomains. These subdomains are like side entrances, tunnels, and even hidden entrances to your castle. 

To help you visualize our castle metaphor, we asked DALL-E for some assistance

What’s DNS?

Now imagine the DNS (Domain Name System) as the castle’s map system. It helps visitors find the main entrance (domain) and other entrances (subdomains).

When someone asks, “Where is example.com?” the DNS translates this request into a specific location (IP address). This would be equivalent to guiding the visitor to the right place inside the castle.

Similarly, if someone asks for blog.example.com, the DNS provides the exact directions to the side entrance – in this case, the blog section.

When DNS works correctly, users effortlessly reach the desired website, just like finding the right entrance on a well-maintained castle map.

What’s DMARC? 

At Red Sift, we are big fans of DMARC (Domain-based Message Authentication, Reporting, and Conformance). Building on our metaphor of a castle and map, think of DMARC as the diligent guards who protect the castle from the wrong people entering and exiting.

How DMARC works

  • Verification: Just as the guards verify the identity of messengers claiming to represent the castle, DMARC verifies emails claiming to come from the domain. It ensures that the emails are genuinely from authorized senders and not from malicious imposters.
  • Policies for Action: The guards have specific policies for dealing with messengers based on the verification requirements the organization has set:
    • None: They let the messenger pass without any special action but note down their details for review.
    • Quarantine: They detain the messenger in a secure area for further inspection, ensuring no immediate harm is done.
    • Reject: They outright refuse entry to the messenger, ensuring no fake or malicious messages reach the castle.
  • Security: The guards protect the castle from receiving harmful or unwanted packages. In the digital world, DMARC adds a layer of security by preventing phishing attacks and email spoofing, ensuring that only verified emails reach their intended recipients.

The Overlap of DNS and DMARC

DMARC policies live in the DNS. DMARC checks DNS to verify the policy, sees if a given domain is allowed to send emails on your behalf (through SPF) and if it’s been tampered with (through DKIM).

Said another way – the castle map (DNS) guides the emails to the correct domain, while the diligent guards (DMARC) ensure that only legitimate emails gain access to the inbox.


Confused about DMARC? Check out our email security guide.

Exploiting Poor DNS Hygiene to Bypass DMARC

In the case of SubdoMailing, bad actors proved that even organizations with the highest levels of DMARC enforcement (p=reject) can still be victims to bad actors sending fraudulent mail from their domain if their DNS hygiene is poor.

Revisiting our metaphor one last time – what happens if the map is up to date but the guards have forgotten about one of the secret entrances and left it unlocked and unprotected? This is akin to poor DNS hygiene, where DNS records are not properly maintained, allowing cybercriminals to take control of these secret entrances and get past the guards undetected.

Poor DNS hygiene enables bad actors to bypass security measures and deliver malicious emails to unsuspecting recipients because it looks legitimate.

Introducing DNS Guardian – Now in Red Sift OnDMARC

We know with the SubdoMailing attack being widespread, bad actors are capitalizing on poor DNS hygiene. We are compelled to give our customers the tools they need to protect their domains from takeover, abuse, and supply chain attacks.

That’s why today, we are pleased to announce DNS Guardian – a new feature available in OnDMARC that helps users continuously monitor and manage DNS hygiene.

Get all the details on DNS Guardian here.

PUBLISHED BY

Rebecca Warren

25 Jun. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Thought Leadership

How the EU can mandate for stronger email security

Antony Seedhouse

Executive summary: The article examines how the EU can proactively close email security gaps by leveraging the NIS2 Directive to mandate robust, harmonized standards like DMARC, DKIM, and SPF across all member states. By acting now, the EU not only protects its digital ecosystem but also sets a global benchmark for cybersecurity best practices.…

Read more
News

Europe’s #1 for DMARC: Red Sift OnDMARC does it again

Francesca Rünger-Field

G2’s Summer 2025 Report has landed, and we’re proud to share that Red Sift OnDMARC remains the #1-rated DMARC solution in Europe. This marks another strong season for OnDMARC, with continued recognition across G2’s category reports. We were featured in 18 reports this quarter, taking top spots in the Mid-Market Results Index and Mid-Market…

Read more
Cybersecurity

Healthcare and cybersecurity: 73% of breaches lack DMARC enforcement

Faisal Misle

The healthcare sector has become a target for both low-level and occasionally spectacularly successful cyberattacks. Hospitals, insurers, medical supply chains, service and medical providers are prime targets for threat actors, with email phishing attacks, ransomware, and data breaches on the rise. In 2024, 94% of U.S. healthcare organizations experienced a cyberattack, with the average…

Read more
BIMI

VMC and CMC: What are the new requirements?

Jack Lilley

Executive Summary: Staying updated on Verified Mark Certificates (VMCs) and Certified Mark Certificates (CMCs) is crucial for organizations aiming to authenticate their logos and enhance brand trust in email communications. Discover the key changes in the latest security requirements and compare the differences between VMCs and CMCs.​ This article: Introduction Verified Mark Certificates (VMCs) and…

Read more