What are the issues with DMARC service companies and cousin domains?

Key findings

• Unethical practices: Some DMARC service companies are accused of scraping websites for email addresses and sending unsolicited commercial emails without proper unsubscribe links or postal addresses, a clear violation of anti-spam regulations.
• Cousin domain misuse: A concerning practice involves using a 'cousin domain' (a visually similar domain, e.g., exampl3.com instead of example.com) for spamming activities. This tactic attempts to evade blocklists and blacklists while maintaining a perceived connection to the legitimate brand.
• DMARC irony: Despite advocating for email security and DMARC implementation, some DMARC companies use cousin domains with p=reject policies on those domains. This creates an ironic situation where they might technically pass DMARC checks on their spamming domain while engaging in unethical sending practices.
• Brand reputation risk: The use of cousin domains, especially for illicit activities, can severely damage a brand's reputation and lead to its legitimate domains being added to email blocklists, impacting overall email deliverability.
• DMARC limitations: DMARC primarily protects against direct domain spoofing, meaning it checks if an email claiming to be from example.com actually originated from example.com. It does not inherently prevent abuse from visually similar, but distinct, cousin domains. For more on this, consult resources like Agari's article on lookalike domains.

Key considerations

• Vendor vetting: When choosing DMARC service providers, it is crucial to thoroughly vet their own email sending practices and ethical standards to ensure they align with legitimate email marketing principles.
• Beyond DMARC: While DMARC is a critical email authentication standard, it is not a silver bullet against all forms of email abuse, particularly those involving visually deceptive domain names. Businesses need comprehensive security strategies. You can learn more about DMARC implementation challenges here.
• Proactive monitoring: Organizations should actively monitor for the registration and use of cousin domains that could be used for malicious purposes, even if DMARC policies are in place for their primary domains.
• Legal and compliance: Ensure all email marketing activities, whether internal or outsourced, comply with relevant anti-spam laws like CAN-SPAM, GDPR, and CASL, which require clear identification of the sender and a straightforward unsubscribe mechanism.

Key opinions

• Double standards: There's a strong sentiment that DMARC service companies, which promote email security and proper sending practices, should adhere to the highest ethical standards themselves. Engaging in spamming or using deceptive domains is seen as hypocritical.
• Reputational damage: Marketers understand the fragile nature of domain reputation and are wary of any practices, including the use of cousin domains by third parties, that could inadvertently harm their brand's standing with ISPs and recipients.
• Trust and transparency: Email marketers often emphasize the importance of building trust with their audience. Practices like website scraping for email addresses or sending without clear opt-out options erode this trust and make it harder for legitimate senders to operate.
• The long view: While short-term gains might be perceived from aggressive marketing tactics, marketers recognize that these often lead to long-term deliverability issues, including being placed on a blacklist or blocklist.

Key considerations

• Ethical sending paramount: Marketers should always prioritize ethical data acquisition and permission-based email marketing, regardless of the tools or services they use. This includes ensuring proper consent, clear unsubscribe mechanisms, and transparent sender identification.
• Vigilance over vendors: It is important for marketers to scrutinize the practices of any vendor, including DMARC service companies, that they partner with. Their actions can reflect directly on your brand's reputation. Look for partners who demonstrate a deep understanding of, and respect for, email best practices, as highlighted by resources like Spamtacular's insights on cousin domains.
• Understanding DMARC limits: While implementing DMARC is crucial for domain protection, marketers should understand its specific capabilities and limitations, especially concerning lookalike or cousin domain attacks.
• Internal alignment: Ensure that internal sales and marketing teams are aligned on acceptable email outreach methods and do not engage in tactics that could harm the company's legitimate email programs.

Key opinions

• DMARC's scope: Experts reiterate that DMARC is designed to protect against direct domain spoofing, but it does not inherently address the issue of visually similar domains (cousin domains) being used for nefarious purposes, making it crucial to understand DMARC's benefits and limitations.
• Snowshoe spamming: Some experts observe that large services, even those with good intentions, can inadvertently (or deliberately) facilitate 'snowshoe' spamming, where email is sent across a wide range of IPs and domains to avoid detection and blacklisting.
• Ethical responsibility: There's a strong consensus among experts that DMARC service providers should lead by example and strictly adhere to ethical sending practices, making the use of scraping or deceptive cousin domains particularly egregious.
• Beyond authentication: While authentication via SPF, DKIM, and DMARC is fundamental, it is not a complete solution for email security. Social engineering and visual deception tactics, like cousin domains, require additional layers of defense and vigilance. Dive deeper into DMARC, SPF, and DKIM basics.

Key considerations

• Comprehensive security strategies: Organizations should deploy a multi-layered email security approach that combines strong authentication protocols with content filtering, user education, and proactive monitoring for brand impersonation, including cousin domains.
• Due diligence for service providers: It's essential to perform thorough due diligence on any email-related service provider, including DMARC solutions, to ensure their practices align with industry best standards and legal requirements.
• Public policy implications: The widespread adoption of DMARC means more robust authentication. However, the existence of DMARC service companies engaging in spamming via cousin domains points to a need for vigilance in the broader email ecosystem to maintain trust and combat abuse, as discussed by Global Cyber Alliance.
• Ongoing education: Staying informed about evolving spam tactics, such as the sophisticated use of cousin domains, is crucial for maintaining effective email security and deliverability.

Key findings

• DMARC's primary function: Documentation confirms DMARC's role in verifying the source of emails and authenticating content to protect domains from cybercrimes like direct spoofing, as outlined by organizations such as Fortinet.
• Limitations regarding cousin domains: Official security insights (e.g., from CIS Security) explicitly state that DMARC policies protect against direct domain spoofing but cannot block all types of phishing, such as those employing cousin domains.
• Policy application: DMARC allows domain owners to set policies that instruct receiving mail servers on how to handle emails that fail authentication (e.g., none, quarantine, reject). This policy mechanism applies to the domain in the From header.
• Implementation challenges: Documentation often highlights common issues in DMARC implementation, such as incorrect record syntax or alignment problems, which can lead to legitimate emails failing authentication. This is explored further in resources detailing DMARC troubleshooting.

Key considerations

• Holistic security: Official guidance consistently recommends DMARC as part of a broader email security framework that includes user awareness and other technical controls to mitigate threats not directly addressed by DMARC.
• Domain protection expansion: While DMARC focuses on your primary domains, documentation encourages protecting all domains associated with your brand, including inactive or cousin domains, by implementing DMARC policies on them to prevent their misuse, as suggested by the Global Cyber Alliance.
• Policy enforcement: Progressing to stronger DMARC policies like p=quarantine or p=reject is advised after careful monitoring and analysis of DMARC reports to avoid blocking legitimate mail, as covered in guides on safely transitioning DMARC policies.
• Continuous monitoring: Receiving and analyzing DMARC aggregate and forensic reports is vital for understanding email flows, identifying potential threats, and fine-tuning authentication configurations.