Why would Google Postmaster Tools show bad foreign IPs if my DMARC is passing?

Google Postmaster Tools (GPT) generally reports on email traffic that successfully authenticates against your domain. If foreign IPs with bad reputation appear but your DMARC reports show no issues, it's a strong indicator of subdomailing . This means a malicious actor has found a misconfigured CNAME record for one of your subdomains and is using it to send emails that appear legitimately authenticated to Google.

Does subdomailing impact my overall email deliverability or domain reputation?

While your immediate email deliverability might not be affected, this type of activity can erode your domain's reputation over time. Even if the main domain isn't directly impacted, the association with spammy IPs can lead to increased filtering by Gmail recipients, affecting future campaigns. It's a security vulnerability that should be addressed promptly.

What is the first step to take if I suspect a subdomain has been hijacked?

You should thoroughly review your DNS records, particularly all CNAME entries for your main domain and its subdomains. Look for any records pointing to unfamiliar or suspicious domains. Once identified, immediately remove or correct these compromised CNAME records in your DNS management interface.

How can I prevent subdomailing from happening again?

Beyond fixing the immediate issue, you should conduct regular DNS audits, remove any unused or outdated records, and ensure all active subdomains have appropriate security measures. Strengthening your DMARC policy to quarantine or reject is also highly recommended to block unauthenticated mail.

What should I do if I see bad reputation foreign IPs associated with my domain in Google Postmaster Tools but no other issues? - Sender reputation - Email deliverability - Knowledge base

Discovering bad reputation foreign IPs associated with my domain in Google Postmaster Tools (GPT) can be perplexing, especially when other indicators like DMARC reports show everything is in order, and your email deliverability seems unaffected. It's a scenario that often raises more questions than answers: If DMARC is passing and my emails are landing, what's causing these alarming reports in GPT?

This situation points to a specific, often stealthy, type of email abuse that leverages your domain's credibility without directly compromising your primary sending infrastructure. While it might seem like a phantom problem, it's crucial to understand the underlying cause to safeguard your sender reputation and prevent potential future deliverability issues. Let's explore why this happens and what steps you can take.

The GPT paradox: bad IPs, good DMARC

Google Postmaster Tools provides valuable insights into your email performance and sender reputation with Google's email sending guidelines. It typically reports on traffic that successfully authenticates against your domain's SPF or DKIM records. This is why seeing foreign IP addresses with a poor (bad) reputation associated with your domain in GPT, especially when your DMARC reports show proper authentication, is so confusing.

One would generally expect that if these IPs were genuinely impacting your domain, your DMARC reports would flag unauthenticated mail, or your primary domain reputation would plummet. However, when your main email flow remains healthy, and DMARC shows passing results, it suggests that the foreign IPs are exploiting a nuanced vulnerability that GPT detects, but your DMARC policy (especially if set to p=none) might not be actively blocking.

It's important to remember that Google Postmaster Tools provides specific insights into how Google views your domain's email traffic. If you're encountering a situation where GPT shows IPs not associated with your domain, it signals that some traffic claiming to be from your domain is indeed reaching Google's mail servers, even if it's not from your usual sending infrastructure.

The hidden threat: understanding subdomailing

The most probable explanation for this anomaly is what's known as subdomailing, also referred to as subdomain squatting or subdomain hijacking. This attack vector involves malicious actors finding and exploiting vulnerable subdomains of your main domain. Often, these are older, forgotten, or misconfigured subdomains with CNAME records pointing to a service that is no longer active or has been taken over by spammers.

When a CNAME points to a domain under a spammer's control, they can then configure that domain to send emails as your subdomain, complete with valid SPF and DKIM authentication for that specific subdomain. This allows them to effectively piggyback on your root domain's reputation for initial inbox placement, even if the content is spammy, leading to the bad IP reputation showing up in GPT.

What is subdomailing?

Subdomailing is a technique where attackers exploit a misconfigured or forgotten CNAME record of a subdomain. This record points to an external service, which the attacker then gains control over. They can then send emails using your subdomain, often with valid authentication, making it difficult for standard DMARC policies to detect if they are not explicitly configured for subdomain monitoring. This sophisticated form of spoofing allows bad actors to bypass initial email filters by leveraging your domain's trust.

You can read more about it in this article on subdomain squatters threatening email sender reputation.

Investigating and mitigating the issue

The first step is to identify which subdomain, if any, might be compromised. While the specific tool mentioned in the user's scenario (Guardio's Subdomailing Checker Tool) is external, the principle involves looking for unusual CNAME records that point to external, potentially untrusted, services. You'll need to review your Domain Name System (DNS) records thoroughly for any CNAME entries that shouldn't be there or point to unfamiliar destinations.

If you find such a CNAME, the immediate action is to remove it. This breaks the link that the attacker is using to send mail under your subdomain's authority. This type of incident underscores the importance of rigorous DNS record management. Even if your domain's reputation appears stable, prolonged abuse of a subdomain could eventually impact your overall sender trust.

Resolving a subdomailing compromise

Problem

Misconfigured CNAME: A subdomain's CNAME record points to an old or compromised service.
Unauthorized sending: Spammers exploit this CNAME to send DMARC-passing email.
GPT reputation hit: Google Postmaster Tools reports bad IPs, indicating spam traffic.

Solution

DNS audit: Identify any suspicious CNAME records in your DNS configuration.
Remove CNAME: Immediately delete or correct the malicious CNAME entry.
Monitor GPT: Observe GPT for resolution of bad IP reports related to those foreign IPs.

To identify these CNAME records, you can use a simple DNS lookup tool. Here's an example command you might use on a Unix-like system:

Example DNS CNAME lookupbash

dig CNAME yoursubdomain.yourdomain.com

Replace yoursubdomain.yourdomain.com with the subdomain you want to check. Look for any unexpected CNAME entries pointing to domains or services you don't recognize or no longer use.

Preventing future subdomailing attacks

Preventing subdomain hijacking requires ongoing vigilance. Regular audits of your DNS records are crucial, ensuring that all entries are current and legitimate. Pay close attention to any CNAME records, especially those pointing to external services. If a service is decommissioned, make sure to remove or update any associated DNS entries for subdomains.

Implementing a strict DMARC policy, moving beyond p=none to p=quarantine or p=reject, is also a powerful defense. This ensures that even if a subdomain is compromised, emails failing DMARC authentication (which they would if not properly set up by the attacker) are either moved to spam or rejected, preventing them from reaching recipients' inboxes and impacting your overall domain reputation. Regular blocklist (or blacklist) monitoring can also alert you to potential issues.

Best practices for DNS hygiene

Conduct regular audits: Periodically review all DNS records for your domain.
Remove stale records: Delete any CNAMEs or other DNS entries that are no longer in use.
Implement DMARC: Move your DMARC policy to quarantine or reject.
Monitor DMARC reports: Analyze aggregate reports for unauthenticated traffic.
Subdomain monitoring: Keep track of all active subdomains and their configurations.

Conclusion

The appearance of unexpected, bad reputation foreign IPs in Google Postmaster Tools, despite seemingly healthy DMARC reports and unaffected deliverability, is a strong indicator of a sophisticated subdomain hijacking (subdomailing) attack. While your core email program may not be immediately harmed, it's a critical vulnerability that needs addressing.

By proactively auditing your DNS records, removing any compromised CNAME entries, and strengthening your DMARC policy, you can mitigate the risk posed by such attacks. Staying vigilant with your DNS hygiene and continuously monitoring your email authentication and reputation signals will help ensure the long-term integrity of your domain and email program.

Views from the trenches

Best practices

Regularly audit your DNS records, especially CNAMEs, to identify and remove any outdated or suspicious entries that could be exploited.

Enforce stricter DMARC policies (moving from p=none to p=quarantine or p=reject) to ensure unauthenticated mail is handled correctly.

Actively monitor Google Postmaster Tools for unusual IP activity, even if other metrics appear normal.

Common pitfalls

Ignoring foreign IP warnings in GPT if DMARC reports look clean, which can mask a deeper subdomain compromise.

Neglecting old or unused subdomains, leaving them vulnerable to hijacking.

Assuming DMARC will catch all spoofing attempts if the policy is set to p=none, as it only monitors but does not enforce action.

Expert tips

Use a DMARC aggregate report analyzer to gain deeper visibility into all email traffic claiming to be from your domain, including subdomains.

Educate your team on DNS security best practices to prevent accidental creation of vulnerable records.

Consider a comprehensive domain monitoring service that can alert you to new or changed DNS records.

Expert view

Expert from Email Geeks says those foreign IP addresses likely belong to a spam organization with cookie-cutter content, indicating snowshoe spam tactics.

2024-03-04 - Email Geeks

Expert view

Expert from Email Geeks says spammers likely used the domain for a specific period and have since moved on, suggesting no further immediate action is required if the activity has ceased.

2024-03-04 - Email Geeks