DNS is the foundation for DMARC: Understanding the overlap

When the threat of SubdoMailing was newly discovered, we wrote a comprehensive guide and worked to get our impacted customers remediated within 72 hours of the discovery being published by Guardio Labs.

We are proud of what we accomplished, but through the process, we also discovered that many people don’t fully understand the overlap of DMARC and DNS. Because of the widespread nature of SubdoMailing, it is critical that security teams understand how these two protocols are related to make sure their domain is protected.

Here, we aim to give a non-technical overview of DNS and DMARC to better illustrate the interdependencies of these core pillars of email security using a castle metaphor.

DNS is the foundation for DMARC

Domains, subdomains, DNS and DMARC are all deeply interconnected. Let’s first discuss each one of these topics independently, and then cover the overlap.

Domains and Subdomains

Imagine your company website is a castle, and your domain name is the main gate. The smaller buildings and courtyards outside the main gate are your subdomains. These subdomains are like side entrances, tunnels, and even hidden entrances to your castle. 

To help you visualize our castle metaphor, we asked DALL-E for some assistance

What’s DNS?

Now imagine the DNS (Domain Name System) as the castle’s map system. It helps visitors find the main entrance (domain) and other entrances (subdomains).

When someone asks, “Where is example.com?” the DNS translates this request into a specific location (IP address). This would be equivalent to guiding the visitor to the right place inside the castle.

Similarly, if someone asks for blog.example.com, the DNS provides the exact directions to the side entrance – in this case, the blog section.

When DNS works correctly, users effortlessly reach the desired website, just like finding the right entrance on a well-maintained castle map.

What’s DMARC? 

At Red Sift, we are big fans of DMARC (Domain-based Message Authentication, Reporting, and Conformance). Building on our metaphor of a castle and map, think of DMARC as the diligent guards who protect the castle from the wrong people entering and exiting.

How DMARC works

  • Verification: Just as the guards verify the identity of messengers claiming to represent the castle, DMARC verifies emails claiming to come from the domain. It ensures that the emails are genuinely from authorized senders and not from malicious imposters.
  • Policies for Action: The guards have specific policies for dealing with messengers based on the verification requirements the organization has set:
    • None: They let the messenger pass without any special action but note down their details for review.
    • Quarantine: They detain the messenger in a secure area for further inspection, ensuring no immediate harm is done.
    • Reject: They outright refuse entry to the messenger, ensuring no fake or malicious messages reach the castle.
  • Security: The guards protect the castle from receiving harmful or unwanted packages. In the digital world, DMARC adds a layer of security by preventing phishing attacks and email spoofing, ensuring that only verified emails reach their intended recipients.

The Overlap of DNS and DMARC

DMARC policies live in the DNS. DMARC checks DNS to verify the policy, sees if a given domain is allowed to send emails on your behalf (through SPF) and if it’s been tampered with (through DKIM).

Said another way – the castle map (DNS) guides the emails to the correct domain, while the diligent guards (DMARC) ensure that only legitimate emails gain access to the inbox.

Confused about DMARC? Check out our email security guide.

Exploiting Poor DNS Hygiene to Bypass DMARC

In the case of SubdoMailing, bad actors proved that even organizations with the highest levels of DMARC enforcement (p=reject) can still be victims to bad actors sending fraudulent mail from their domain if their DNS hygiene is poor.

Revisiting our metaphor one last time – what happens if the map is up to date but the guards have forgotten about one of the secret entrances and left it unlocked and unprotected? This is akin to poor DNS hygiene, where DNS records are not properly maintained, allowing cybercriminals to take control of these secret entrances and get past the guards undetected.

Poor DNS hygiene enables bad actors to bypass security measures and deliver malicious emails to unsuspecting recipients because it looks legitimate.

Introducing DNS Guardian – Now in Red Sift OnDMARC

We know with the SubdoMailing attack being widespread, bad actors are capitalizing on poor DNS hygiene. We are compelled to give our customers the tools they need to protect their domains from takeover, abuse, and supply chain attacks.

That’s why today, we are pleased to announce DNS Guardian – a new feature available in OnDMARC that helps users continuously monitor and manage DNS hygiene.

Get all the details on DNS Guardian here.


Rebecca Warren

25 Jun. 2024



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more