Why do security teams sometimes prefer cousin domains over subdomains for marketing emails?

Security teams might suggest cousin domains to isolate the potential negative impact of marketing emails (e.g., high spam complaints, blocklisting) from the primary corporate domain. The idea is to contain any reputational damage to a less critical, separate domain.

Are subdomains or cousin domains better for email marketing deliverability?

Subdomains are generally the recommended approach for email marketing. They allow you to maintain a consistent brand identity while still segmenting your email traffic and managing reputation for different sending purposes. Proper authentication with DMARC provides effective protection.

What are the primary risks of using cousin domains for legitimate email marketing?

Cousin domains can confuse recipients, leading to lower engagement and higher spam complaints because they might appear to be phishing attempts. They also undermine brand trust and consistency, as recipients might not immediately recognize the sender as legitimate. Additionally, they can still be linked back to the main brand by mailbox providers, impacting overall reputation.

How can security and marketing teams align on email domain strategy?

Collaboration is key. Security and marketing teams should work together to understand the technical aspects of email deliverability, implement strong email authentication protocols (SPF, DKIM, DMARC) on branded subdomains, and establish clear guidelines for email sending practices. This protects the brand while allowing marketing to operate effectively.

Why do security teams allow cousin domains for email marketing instead of subdomains? - Technical - Email deliverability - Knowledge base

It's a common scenario. Marketing teams want to send emails that look like they're directly from the company, using the brand's primary domain or a direct subdomain. Security teams, however, often push back, sometimes suggesting an alternative: a cousin domain. This can be perplexing, especially when the company's security mandate includes brand protection. Why would security, which aims to protect the brand, seemingly allow a less intuitive, potentially riskier option for email marketing?

The core of this paradox lies in differing priorities and, at times, a misunderstanding of how email deliverability and reputation truly function. While marketing prioritizes reach and brand consistency, security often focuses on minimizing attack surface and containing potential damage. Let's delve into why this approach to email domains sometimes takes root within organizations and what the real implications are.

The security team's reluctance

Security teams are inherently cautious. They are tasked with protecting the organization's most critical assets, including its primary domain reputation and infrastructure. When it comes to email, the main concern is preventing abuse like phishing, spoofing, and malware distribution, which could directly impact employees, customers, and partners. Using the main domain, yourcompany.com, or a close subdomain like marketing.yourcompany.com, for mass marketing can introduce perceived risks.

Email marketing, by its nature, involves sending large volumes of mail, which can be prone to higher spam complaint rates or engagement issues. If these campaigns perform poorly, the associated domain's sender reputation can suffer. A damaged reputation can lead to emails landing in spam folders or being blocklisted (blacklisted), not just for marketing emails, but potentially for critical transactional or internal communications as well. For security, this risk to the core business communication is a significant concern. To mitigate this, some security teams prefer to isolate marketing email sending to a completely separate, less critical domain.

There's also a perception that giving marketing teams control over DNS records or sending from subdomains of the main corporate domain introduces potential attack vectors. While subdomains are a standard best practice for reputation isolation, some security teams might view any connection to the main domain as a vulnerability. They might lack a deep understanding of email authentication protocols like SPF, DKIM, and DMARC which, when properly configured, provide robust protection even for subdomains.

The appeal of cousin domains

A cousin domain, also known as a lookalike or typo-squatted domain, is a domain that is visually similar to a legitimate brand's domain, often differing by a single character or a common misspelling. For example, if your company is yourcompany.com, a cousin domain might be your-company.com or yourrcompany.com. While typically associated with malicious activities like phishing, some security teams mistakenly see them as a way to completely detach marketing email risk from the primary brand. The idea is that if something goes wrong with marketing emails, it only impacts the cousin domain, not the main corporate one.

This approach, while seemingly logical from a pure risk isolation standpoint, often stems from an incomplete understanding of email deliverability and brand reputation. It's an out of sight, out of mind mentality. By pushing marketing to a cousin domain, security teams might feel they are offloading potential deliverability headaches and blocklisting incidents to a non-critical asset. This also means they don't have to deal with the complexities of managing DNS records for a subdomain within their tightly controlled infrastructure. They simply say, Here's a new domain, do what you need with it.

Example cousin domain

Common cousin domain examplesplaintext

your-company.com
company.net
yourcornpany.com (using 'rn' instead of 'm')

The perceived benefit is a clean separation of concerns and a clear line of responsibility. If marketing-messages.yourcompany.com is blocklisted, it impacts only marketing emails. If your-c0mpany.com (a cousin domain) gets blocklisted, it's still not the primary domain. This reasoning, however, overlooks critical aspects of brand security and user trust, which we'll explore next.

The hidden costs of 'risk isolation'

While cousin domains might seem like a simple solution for isolating risk, they introduce a host of new problems that often outweigh the perceived benefits. Firstly, cousin domains are inherently problematic for brand protection. They are the very tool that spammers and phishers use to trick recipients into believing an email is legitimate. By using a cousin domain, the company itself is adopting a tactic commonly associated with malicious actors. This can sow confusion among recipients and erode trust, even if the emails are legitimate marketing communications. Instead of enhancing brand credibility, it can inadvertently diminish it.

Secondly, using a cousin domain for marketing emails makes it harder for recipients to immediately recognize your brand. A clear subdomain, like newsletter.yourcompany.com, reinforces brand identity and builds sender trust over time. A slightly off-brand cousin domain, however, can trigger suspicion. Users might be hesitant to open, click, or even mark the email as spam, believing it to be a phishing attempt. This directly undermines marketing's goal of engagement and deliverability. M3AAWG strongly discourages the use of cousin domains for these very reasons.

Furthermore, relying on cousin domains doesn't eliminate the need for proper email authentication and reputation management. A poorly managed cousin domain can still get blocklisted, which can then be associated with your main brand by email service providers (ESPs) and recipients. In fact, it might even be scrutinized more heavily by spam filters precisely because it resembles a phishing domain. It creates a false sense of security while potentially making deliverability challenges more complex to diagnose and resolve.

Subdomains

Security control: Managed by IT, ensuring proper authentication setup.
Brand perception: Clearly linked to the main brand, fostering trust.
Reputation: Can be isolated through careful management and proper sub-domain practices.

Cousin domains

Security control: Often outside IT's direct oversight, increasing risk.
Brand perception: Can look suspicious, eroding recipient trust.
Reputation: Higher risk of being flagged as spam or blocklisted, impacting overall brand.

The idea of using cousin domains for marketing is a classic example of a security measure that, while well-intentioned, can create more problems than it solves. It sacrifices brand consistency and trust for a perceived, but often illusionary, isolation of risk. A more constructive approach involves collaboration between marketing and security to implement robust email authentication and best practices on a brand-aligned subdomain.

Achieving security and marketing alignment

Instead of resorting to cousin domains, organizations should foster better communication and shared understanding between security and marketing teams. The best practice, widely adopted by email deliverability experts, is to use purpose-specific subdomains for different email streams (e.g., marketing, transactional, operational). This allows for reputation isolation while maintaining brand consistency. With proper DMARC policies in place, even if a marketing subdomain faces deliverability issues, the impact on the main domain's reputation can be effectively mitigated. The basics of email subdomains show how they work to segment email traffic.

Security teams should focus on implementing robust email authentication for all sending domains and subdomains, ensuring that SPF, DKIM, and DMARC are correctly configured. This includes setting up DMARC policies at quarantine or reject to actively protect against spoofing and phishing attempts, regardless of whether a subdomain or cousin domain is used. By doing so, they can protect the brand while still allowing marketing to maintain a consistent identity.

The path to unified email security and deliverability

Educate security teams: Explain the nuances of email deliverability and how subdomains, combined with strong authentication, offer effective risk segmentation without sacrificing brand trust.
Implement DMARC properly: Ensure that all legitimate sending domains and subdomains have robust DMARC policies in place.
Monitor blocklists (blacklists): Regularly check all sending domains (including subdomains) for blocklist appearances using a blocklist checker.

Ultimately, the goal for both security and marketing should be to ensure legitimate emails reach their intended recipients while protecting the brand from abuse. This is best achieved through transparent communication, adherence to email best practices, and leveraging the power of subdomains with strong authentication, rather than retreating to the false security of cousin domains.

Views from the trenches

Best practices

Ensure that marketing and security teams collaborate closely on email sending strategy.

Implement strong DMARC policies on all corporate domains and subdomains.

Use clear, branded subdomains for different email types (e.g., marketing, transactional).

Common pitfalls

Allowing marketing to use cousin domains, which can erode brand trust and increase phishing risk.

Security teams not understanding the nuances of email deliverability and authentication.

Lack of consistent monitoring for domain reputation across all sending assets.

Expert tips

Implement a DMARC policy with a quarantine or reject action for your main domain to protect against spoofing.

Regularly review DMARC reports to identify potential abuse of your brand's domains, including cousin domains.

Conduct periodic training for both marketing and security on email authentication and deliverability best practices.

Marketer view

Marketer from Email Geeks says that security people often suggest cousin domains because they believe marketing teams will not adhere to security guidelines regarding email sending.

2021-09-29 - Email Geeks

Marketer view

Marketer from Email Geeks says that this strategy allows security to keep potential deliverability and blocklisting issues outside their immediate area of responsibility.

2021-09-29 - Email Geeks

Finding common ground

The choice between cousin domains and subdomains for email marketing highlights a crucial area where security and marketing goals can appear to conflict. While security teams may see cousin domains as a way to compartmentalize risk, this approach can inadvertently undermine brand trust and create deliverability challenges.

Ultimately, a more informed and collaborative strategy, one that leverages the power of subdomains with robust email authentication, offers a path to both strong security posture and effective, on-brand email marketing. It's about finding common ground and working together to protect the brand's reputation comprehensively.