What does a low DMARC success rate, nxdomain, and random subdomains mean and how can I fix it?

Key findings

• DMARC failure meaning: A DMARC failure indicates that an email claiming to be from your domain did not pass SPF or DKIM authentication checks, or that the domain in the From header did not align with the authenticated domain.
• Nxdomain in reports: The term nxdomain in a DMARC report, specifically for the server name (or reverse DNS), means that the sending IP address lacks a valid reverse DNS record. This is a common characteristic of spam or spoofed email traffic.
• Random subdomains: Randomly generated subdomains, such as b7wvnjse.yourdomain.com, are often used by spammers or phishers who are attempting to spoof your primary domain. They typically do not directly impact the reputation of your legitimate sending domains.
• Not a DDoS attack: While the volume might seem high, this activity is generally not a malicious DDoS attack targeting your infrastructure, but rather a routine spam campaign leveraging various domains, including yours.
• Deliverability impact: If your legitimate email streams are properly authenticated with SPF, DKIM, and DMARC alignment, these spoofed messages should not negatively affect your own email deliverability or domain reputation, as receivers will largely ignore them based on your DMARC policy. More information on how DMARC works can be found on DuoCircle's guide to DMARC failures.

Key considerations

• Monitor legitimate sending: The primary use of DMARC reports is to verify that all of your legitimate email is correctly authenticated and aligned. Focus on ensuring your authorized email sources are 100% compliant.
• Review DMARC policy: Consider implementing a p=reject or p=quarantine policy (if not already) to instruct receiving mail servers on how to handle unauthenticated mail from your domain. This will ensure that the spoofed emails are rejected or quarantined. For a comprehensive guide, see our article on how to safely transition your DMARC policy.
• Subdomain policies: If you have legitimate subdomains that send mail, ensure they are also properly authenticated. A p=reject policy at the organizational domain usually inherits down to subdomains, but an explicit sp=reject tag can be used for specific subdomain policies.
• Leverage DMARC reports: While background noise exists, DMARC reports are invaluable for visibility. They allow you to understand and troubleshoot DMARC reports from major ISPs like Google and Yahoo, helping you ensure your own emails are always authenticated correctly.
• Perspective: A low DMARC success rate due to external spoofing is a sign that your DMARC policy is working to detect unauthorized use, rather than an indication of a problem with your own email infrastructure.

Key opinions

• Initial alarm: Many marketers are immediately worried by a low DMARC success rate and the presence of nxdomain or random subdomains, often suspecting a DDoS attack or a direct threat to their brand.
• Focus on legitimate mail: The main takeaway for marketers is that DMARC reports are most useful for confirming that their *own* email streams are properly authenticated, rather than obsessing over external spoofing attempts. We have a guide on why your DMARC success rate might be dropping.
• Seeking external analysis: It's common for marketers to share suspicious DMARC reports with their Email Service Provider (ESP) or a deliverability consultant for a second opinion, prioritizing caution.
• Reassurance after review: Once it's confirmed that their own sending domains are 100% DMARC compliant, the initial concerns often subside, realizing these failures are merely reports of external abuse.
• Understanding spoofing: Marketers learn that random subdomains combined with nxdomain are hallmarks of typical spam operations trying to exploit domains without proper DMARC policies in place.

Key considerations

• Access to raw data: Marketers should ideally have access to raw DMARC aggregate data or use a robust dashboard to thoroughly analyze reports, rather than relying solely on summarized views.
• Implement DMARC at enforcement: For domains with consistent, authenticated legitimate sending, marketers should consider moving their DMARC policy to p=quarantine or p=reject to actively block or send spoofed emails to spam. This is a critical step in fixing DMARC fail errors.
• Subdomain protection: Even if not actively sending from subdomains, applying an sp=reject tag within their DMARC record can help reduce the visible abuse of random subdomains.
• Proactive monitoring: Regularly reviewing DMARC reports helps marketers stay informed about domain usage and quickly identify any legitimate email streams that might unexpectedly fail authentication. See our article on how to troubleshoot DMARC failures.

Key opinions

• Normal spam activity: Experts confirm that DMARC failures, especially with random subdomains, are typically due to routine spam campaigns using harvested email addresses and spoofed domains. This is common internet background noise.
• No reverse DNS: The term nxdomain (non-existent domain) when referring to a server name simply indicates that the sending IP address does not have a properly configured reverse DNS record, a frequent characteristic of unlegitimate senders.
• Low impact on deliverability: These types of failures, while numerically significant in reports, generally do not affect the deliverability of legitimate mail, particularly if the domain has a DMARC policy set to p=quarantine or p=reject. Learn more about why DMARC authentication can fail.
• Actionable insights: The true utility of DMARC reporting for experts is to identify legitimate sending sources that may not be properly authenticating their emails, allowing for necessary adjustments.
• Policy inheritance: Experts highlight that a strong DMARC policy at the organizational domain level often extends protection to subdomains, whether used legitimately or for spoofing.

Key considerations

• Don't overreact: Experts advise against spending too much effort on the background noise of DMARC failures from external spoofing. It's an expected part of the email ecosystem and signifies DMARC is working.
• Enforce policies: Once confident in their legitimate sending authentication, organizations should move their DMARC policy to a stronger enforcement posture (quarantine or reject) to effectively deal with spoofed messages. This helps in getting DMARC right.
• Subdomain configuration: For domains that utilize subdomains for legitimate sending, ensure each is properly authenticated. If subdomains are not used, a sp=reject tag is good practice. Read more about DMARC policy application with subdomains.
• DMARC report interpretation: Understanding what DMARC aggregate reports truly signify, beyond raw numbers, is key to leveraging them effectively for email authentication strategy.

Key findings

• RFC 7489 specifies: The DMARC specification (RFC 7489) details how receiving Mail Transfer Agents (MTAs) generate and send aggregate reports (RUA records) that include data on emails failing DMARC authentication, providing visibility into domain usage.
• Reverse DNS failures: While nxdomain directly refers to a DNS lookup failure for a domain, in the context of reverse DNS (PTR records), it means the IP address from which an email originated does not resolve to a valid hostname, a common indicator of untrusted senders.
• Subdomain handling: DMARC policies, through the sp (subdomain policy) tag, allow domain owners to define specific handling instructions for mail originating from subdomains, separate from the organizational domain's p (policy) tag.
• Authentication alignment: DMARC specifically requires alignment between the From header domain and the domains authenticated by SPF and DKIM. Failures indicate non-compliance or spoofing.
• Reporting unauthorized use: A primary benefit of DMARC is to provide domain owners with reports on who is sending email using their domain, including unauthorized parties, which assists in brand protection and anti-phishing efforts.

Key considerations

• Policy enforcement: Documentation encourages domain owners to gradually move towards stronger DMARC policies (e.g., p=quarantine, then p=reject) once they are confident that all their legitimate email sources are DMARC compliant. This is crucial for taking action against unauthenticated mail. For more detail, refer to RFC 7489.
• Domain and subdomain policies: Careful consideration of both the organizational domain policy (p tag) and the subdomain policy (sp tag) is necessary for comprehensive domain protection. Our guide on best practices for DMARC setup covers these in detail.
• Report analysis: While DMARC reports provide raw data, effective analysis often requires specialized tools to parse the XML files into actionable insights, helping to distinguish legitimate issues from background noise.
• Understanding failures: Distinguishing between failures due to misconfigurations of legitimate sending sources and failures due to spoofing is critical for proper troubleshooting and policy adjustments.