What are the issues with DMARC service companies and cousin domains?
Michael Ko
Co-founder & CEO, Suped
Published 31 May 2025
Updated 16 Aug 2025
10 min read
Email security is a constant battle, and DMARC (Domain-based Message Authentication, Reporting, and Conformance) has emerged as a crucial tool in this fight. It helps organizations protect their domains from unauthorized use, such as spoofing and phishing, by specifying how recipient mail servers should handle unauthenticated emails purporting to come from their domain. However, even with robust DMARC policies in place, challenges remain, particularly when dealing with the nuanced world of DMARC service companies and the persistent threat of cousin domains.
Many organizations turn to DMARC service providers to navigate the complexities of implementation, monitoring, and reporting. These services promise to simplify the process, offering tools for DMARC record generation, aggregate report analysis, and forensic report (RUF) management. While invaluable, reliance on these services can introduce its own set of considerations, especially if not managed transparently or if the provider's own practices are questionable. The goal is to enhance security, not inadvertently create new vulnerabilities or compliance headaches.
One of the most insidious threats that DMARC, even with the aid of a service provider, struggles to fully mitigate is the use of 'cousin domains' (also known as lookalike domains). These are domains intentionally registered by malicious actors to closely resemble legitimate brands, often by substituting characters (e.g., 'example.com' becoming 'exampl3.com' or 'example-co.com'). Because these are technically distinct domains, DMARC policies set on your primary domain do not directly apply to them, leaving a significant gap in your email security posture.
Understanding these intertwined issues is critical for any organization serious about protecting its brand, its employees, and its customers from email-borne threats. It’s not just about setting up a DMARC record, but about a holistic approach to email security that accounts for both the capabilities and limitations of existing protocols and services.
DMARC service companies primarily aim to simplify the deployment and ongoing management of DMARC for organizations. They collect and process the aggregate (RUA) and forensic (RUF) reports generated by recipient mail servers, transforming complex XML data into user-friendly dashboards and actionable insights. This reporting is essential for identifying legitimate email streams that might be failing authentication and, conversely, detecting fraudulent attempts to spoof your domain. Without a service, manually parsing these reports is incredibly challenging, especially for domains with high email volumes. These services often provide assistance with DMARC implementation, helping to achieve a p=reject policy.
However, the landscape of DMARC service providers isn't without its issues. Some companies, despite promoting email security, might engage in less-than-ideal practices themselves. I’ve personally observed instances where DMARC service companies use questionable tactics, such as scraping websites for contact information and then sending unsolicited emails from cousin domains. This behavior is ironic, as it directly undermines the very principles of trust and authentication that DMARC is designed to uphold. Such practices can damage the reputation of the sending domain and contribute to broader spam problems, despite potentially having a p=reject policy on their legitimate domains.
The core issue here isn't DMARC itself, but the ethical and operational standards of some providers. If a company that advises on email security resorts to tactics like sending marketing emails from cousin domains or without proper unsubscribe mechanisms, it signals a deeper misunderstanding or disregard for email best practices. This can lead to your legitimate emails being mistakenly blocklisted (or blacklisted), despite your best efforts to maintain good sender reputation. This further complicates the already challenging process of troubleshooting DMARC failures.
Choosing a DMARC partner
When evaluating a DMARC service company, look beyond just their technical capabilities. Investigate their own email sending practices and ensure they align with the principles of ethical email marketing and security. A reputable provider should be a role model for the standards they advocate.
Understanding cousin domains
Cousin domains are a significant blind spot for DMARC. While DMARC is highly effective at preventing direct domain spoofing, where an attacker sends email directly from your actual domain, it provides no protection against emails sent from a visually similar, but technically distinct, domain. Cybercriminals exploit this by registering domains that are subtly different from your legitimate one, such as 'micros0ft.com' instead of microsoft.com, or 'appl-e.com' instead of apple.com. Recipients, especially on mobile devices, often overlook these minor discrepancies.
The reason DMARC falls short here is fundamental. DMARC works by verifying the 'From' domain in an email against the domain used in the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication checks. If an email from a cousin domain like 'exampl3.com' successfully authenticates via SPF and DKIM for 'exampl3.com', DMARC passes for that domain. It doesn't, and can't, know that 'exampl3.com' is trying to impersonate 'example.com'. This means that an email from a cousin domain, even if it's clearly a phishing attempt, can still land in an inbox without triggering a DMARC failure on your legitimate domain. As one source puts it, DMARC "cannot block all types of phishing, such as cousin domains." This blog post from CISecurity.org explains more.
This gap highlights a critical area where organizations must go beyond standard DMARC implementation. While DMARC is foundational for direct domain protection, a separate strategy is needed to combat cousin domain abuse. This can involve proactive monitoring for new registrations of similar domains, registering them yourself to prevent malicious use, or employing advanced threat intelligence solutions that specifically track and flag such lookalike attempts. Fraudmarc.com elaborates on what DMARC can't do regarding this issue.
Direct domain spoofing
Threat: Attacker attempts to send emails using your exact domain (e.g., mail@yourdomain.com).
DMARC effectiveness: Highly effective. DMARC policies (quarantine, reject) tell recipients how to handle unauthenticated emails.
Protection: Ensures only authorized senders can use your domain's email identity.
Cousin domain attacks
Threat: Attacker registers a similar-looking domain (e.g., yourd0main.com) to trick recipients.
DMARC effectiveness: Minimal. DMARC policies on your primary domain do not apply to these separate domains.
Protection: Requires proactive monitoring and protection of lookalike domains.
The intersection of DMARC services and cousin domains
The intersection of DMARC service companies and cousin domains creates a peculiar dilemma. While DMARC services are invaluable for gaining visibility into your domain's email ecosystem and enforcing authentication, their utility is largely confined to your *owned* domains. They excel at processing reports for your legitimate domains, helping you improve deliverability and combat direct spoofing. However, they typically don't offer built-in solutions for actively tracking or shutting down cousin domains, as these are often outside your direct control or ownership.
Moreover, the concern arises when, as mentioned earlier, DMARC service companies themselves might employ cousin domains for their own marketing activities. This can be problematic if their sending practices on these lookalike domains are not up to par. For example, if they send unsolicited emails from a domain like 'suped-security.com' to prospects without clear consent, even if 'suped.com' has a strong DMARC policy, it tarnishes the overall reputation and trustworthiness of a company promoting email security. It creates a confusing double standard.
This highlights a fundamental misunderstanding, or perhaps a calculated risk, on the part of some service providers. While a p=reject policy on a legitimate domain is crucial, it doesn't excuse sending spam or using deceptive practices on any domain, cousin or otherwise. Such actions can lead to the DMARC service provider's own IPs or domains ending up on a blocklist (or blacklist), impacting their own deliverability and potentially the trust of their clients.
Beware of questionable practices
If a DMARC service provider engages in email practices that contradict the very security principles they advocate, such as sending unsolicited emails from cousin domains or omitting required unsubscribe links, it's a major red flag. This undermines their credibility and could inadvertently impact your own email reputation through association or by setting a poor example.
Beyond DMARC: comprehensive domain protection
Given DMARC's limitations with cousin domains, a truly comprehensive email security strategy must extend beyond traditional DMARC deployment. It requires a multi-layered approach that combines strong authentication with proactive brand protection and ongoing vigilance. Simply relying on a DMARC service, while beneficial for your primary domains, won't fully protect you from the evolving tactics of cybercriminals.
One key step is to proactively monitor for and, if feasible, register common misspellings or typographical variations of your own domain name. This practice, known as defensive domain registration, can prevent bad actors from acquiring these lookalike domains in the first place. For domains that are already registered by others, you may need to explore legal avenues or specialized brand protection services to address blatant impersonation. Investing in understanding your domain reputation is also crucial.
Furthermore, educate your employees and customers about phishing threats, especially those involving cousin domains. Training should emphasize checking email sender addresses carefully, looking for subtle inconsistencies, and never clicking on suspicious links. Technology solutions like email security gateways with advanced threat detection capabilities can also help identify and block emails from known or suspected cousin domains, even if they pass basic DMARC checks for their own domain. These combined efforts are essential to combatting phishing attacks.
Still foundational. Reinforced by consistent sender authentication.
Cousin domain attacks
No direct protection as they are separate domains.
Requires proactive monitoring, defensive registration, and user education.
Email deliverability
Improved by proper DMARC alignment.
Enhanced by DMARC, clean email lists, relevant content, and monitoring domain reputation.
Brand reputation
Protected from direct spoofing attacks.
Protected by DMARC, anti-phishing measures, and vigilant brand monitoring.
Views from the trenches
Best practices
Regularly audit your DMARC aggregate reports to identify legitimate email sources failing authentication, ensuring all senders are properly configured.
Proactively register common misspellings and typographical variations of your brand's domain to prevent malicious actors from acquiring them for phishing.
Implement strong internal policies and employee training programs to educate staff on identifying and reporting phishing emails, especially those from cousin domains.
Use a combination of email authentication (SPF, DKIM, DMARC) with advanced email security gateways that can detect and filter emails from suspicious lookalike domains.
Common pitfalls
Over-relying on DMARC service companies without scrutinizing their own email sending practices; some may use less-than-ideal methods.
Assuming DMARC alone will protect against all forms of email impersonation; it does not inherently cover cousin domains or display name spoofing.
Neglecting to monitor for new cousin domain registrations, leaving a significant vulnerability for phishing campaigns.
Failing to educate users on the subtle differences between legitimate domains and lookalike domains, making them susceptible to social engineering attacks.
Expert tips
For large organizations with many domains, consider automating DMARC record management and cousin domain monitoring to scale your protection efforts efficiently.
Beyond technology, foster a security-aware culture where employees feel empowered to question suspicious emails and report them immediately.
Collaborate with your DMARC service provider to understand how they handle their own marketing and outreach, ensuring their practices align with your security standards.
Regularly review your DMARC policy for each domain, starting with `p=none` for monitoring, then progressing to `p=quarantine` or `p=reject` only after thorough analysis.
Marketer view
Marketer from Email Geeks says they were frustrated by a DMARC service company scraping websites for email addresses and spamming them without proper unsubscribe links or postal addresses. They noted the irony of an email security company failing to adhere to basic email best practices.
2022-03-02 - Email Geeks
Marketer view
Marketer from Email Geeks says they hope the marketing domains used by such companies are at least implementing DMARC for their own sending practices.
2022-03-02 - Email Geeks
Strengthening your email security
While DMARC provides a powerful defense against email spoofing and phishing for your owned domains, it’s not a silver bullet against all threats, especially those involving cousin domains. DMARC service companies are crucial partners in managing and interpreting your DMARC reports, helping you maintain a healthy email ecosystem and enforce strong authentication policies. However, it’s important to select a partner whose own practices align with the highest standards of email security and deliverability.
To truly protect your brand and users, you must complement DMARC with strategies to combat cousin domains. This includes proactive monitoring, defensive domain registration, and robust user education. By taking a holistic approach, organizations can build a resilient email security posture that defends against both direct domain abuse and the deceptive tactics of lookalike domains, ensuring your messages reach the inbox and your brand remains trusted.
microsoft.com, or 'appl-e.com' instead of 
apple.com. Recipients, especially on mobile devices, often overlook these minor discrepancies.
