What does a low DMARC success rate, nxdomain, and random subdomains mean and how can I fix it?
Matthew Whittaker
Co-founder & CTO, Suped
Published 13 Jun 2025
Updated 15 Aug 2025
9 min read
Recently, I came across a DMARC report that showed a surprisingly low DMARC success rate of 56%. Upon closer inspection, the report for a specific day from Google indicated a significant volume of emails, around 1,380, were sent via an 'nxdomain' server name. What was particularly concerning was that the 'From' domain for these emails included a random string, like 'b7wvnjse. + our domain.' My immediate thought was, could this be a malicious DDoS attack, and how worried should I be?
This situation highlights a common area of confusion when interpreting DMARC aggregate reports. While a low DMARC success rate can be alarming, it is crucial to understand the underlying causes before jumping to conclusions about direct threats to your infrastructure. Often, these anomalies point to email spoofing attempts, which DMARC is designed to help you identify and manage. It's not always an attack on your network, but rather unauthorized use of your domain.
The key is to correctly diagnose what 'nxdomain' and 'random subdomains' signify within these reports and how they relate to your legitimate email sending and overall email deliverability. This guide aims to clarify these terms, explain their implications, and provide actionable steps to ensure your domain's email integrity and reputation remain intact.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Its primary role is to give domain owners control over what happens to emails that fail authentication checks, thereby protecting against email spoofing and phishing. A low DMARC success rate, typically viewed in aggregate reports, means a significant percentage of emails purporting to be from your domain are not passing these authentication checks.
When you receive DMARC aggregate reports, they provide an overview of all email traffic seen using your domain, categorized by pass or fail status for SPF, DKIM, and DMARC alignment. For more details on these reports, you can explore guides on understanding and troubleshooting DMARC reports. A low success rate suggests that either legitimate emails are not configured correctly for DMARC (failing authentication), or, more commonly, that unauthorized third parties are using your domain to send emails.
The concern arises when you see a low success rate alongside identifiers like 'nxdomain' and 'random subdomains.' These are specific indicators within the DMARC reports that help pinpoint the nature of the unauthenticated traffic. While the percentage might seem alarming, the details within the report are key to understanding whether it's an issue requiring your immediate intervention for your own sending, or merely background noise from ongoing email abuse.
Understanding nxdomain
When a DMARC report indicates an email came from an 'nxdomain' server name, it means that the sending IP address did not have a valid reverse DNS (rDNS) entry. In essence, the mail server that sent the email cannot be resolved to a domain name via a reverse DNS lookup. This is a common characteristic of spam and phishing attempts because legitimate email servers almost always have correctly configured rDNS records.
Random subdomains
The random string before your domain, like 'b7wvnjse.yourdomain.com,' indicates that the sender is attempting to spoof your domain by generating arbitrary subdomains. This tactic is frequently employed by spammers and phishers to evade simple blocklists and make their illicit emails appear more credible. They aren't actually using a subdomain you control, but rather faking it in the 'From' address.
Is it a malicious attack?
While it can feel like a direct attack, especially given the volume, these instances are typically part of a broader spam campaign rather than a targeted DDoS (Distributed Denial of Service) attack on your specific infrastructure. The goal is usually to leverage your domain's reputation for their malicious purposes, not to overwhelm your servers. The DMARC reports simply expose this activity.
Impact on deliverability and domain reputation
The presence of 'nxdomain' and randomly generated subdomains in your DMARC reports, while indicating unauthenticated mail, generally does not directly affect the deliverability of your legitimate emails, provided your authenticated emails are consistently passing SPF and DKIM checks with DMARC alignment. Mail servers primarily look at the authentication results of the actual sending domain.
However, ignoring these signals entirely could have a subtle, long-term impact on your domain's reputation. If a large volume of spoofed emails using your domain goes unchecked, recipient mail servers might begin to associate your domain with suspicious activity. This could potentially lead to your legitimate emails being filtered into spam folders or, in severe cases, your domain ending up on an email blocklist or blacklist. Understanding what happens when your domain is on an email blacklist is important for proactive management.
Your DMARC policy plays a critical role here. If your policy is set to p=none, these unauthenticated emails will likely still be delivered, albeit potentially to the spam folder. With p=quarantine or p=reject, recipient servers are instructed to treat such emails as suspicious or outright reject them, which mitigates the impact on your reputation. Review the DMARC record and policy examples for clarification.
Fixing a low DMARC success rate
Addressing these DMARC failures and the appearance of 'nxdomain' or random subdomains in your reports involves a few key steps. The primary goal is to ensure that all your legitimate email traffic is properly authenticated and aligned with DMARC, while simultaneously giving recipient mail servers clear instructions on how to handle unauthenticated mail.
Verify legitimate sending sources: The first step is to confirm that all legitimate email senders using your domain are correctly configured with SPF and DKIM. This includes your own mail servers, marketing platforms, transactional email services, and any third-party applications. Regularly monitor your DMARC reports to identify any legitimate sources that might be failing authentication. If your DMARC success rate is dropping unexpectedly, this is your starting point.
Analyze DMARC reports: Use a DMARC reporting tool to analyze your aggregate reports. Pay close attention to the `source_ip` and `header_from` fields associated with 'nxdomain' and random subdomain entries. These insights help distinguish between legitimate misconfigurations and spoofing attempts. For comprehensive analysis, understand how to interpret DMARC reports for unrecognized sources.
Implement or tighten your DMARC policy: If you're on a p=none policy, consider moving to p=quarantine or p=reject. This instructs recipient servers to quarantine (send to spam) or reject emails that fail DMARC. This is the most effective way to combat spoofing using your domain. For guidance, learn how to safely transition your DMARC policy. A key DMARC tag to consider is sp, which defines policy for subdomains specifically. More details can be found on what the DMARC 'sp' tag is.
Below is an example of a DMARC record with an `sp` tag set to reject all unauthenticated emails from subdomains:
This record tells receiving servers that if an email from your main domain fails DMARC, it should be quarantined. However, if an email from any subdomain fails, it should be rejected outright. This is particularly useful for dealing with the random subdomain spoofing seen in the reports.
Monitoring and continuous improvement
The problem
Low DMARC success rate: Unauthenticated emails from your domain are being reported, leading to concerns about brand reputation and potential deliverability issues.
Nxdomain errors: Emails originating from IPs with no reverse DNS, often indicative of spam sources trying to impersonate your domain.
Random subdomains: Spoofers using arbitrary subdomains to bypass basic filters and leverage your domain's credibility.
The solution
Comprehensive DMARC monitoring: Continuously analyze DMARC reports to identify all legitimate sending sources and ensure their proper authentication. This includes regular checks on what a DMARC record is and how to set it up.
Enforce DMARC policy: Progress from a p=none policy to p=quarantine or p=reject to instruct recipient servers how to handle unauthorized emails. For issues with subdomains, explicitly use the sp tag.
Continuous vigilance: Email authentication is an ongoing process. Regular review of reports helps adapt to new threats and maintain optimal email deliverability. Further assistance can be found on DMARC email security.
The details within your DMARC reports are essential for distinguishing between mere background noise (spoofing attempts that are likely already being rejected by your DMARC policy) and actual issues with your legitimate email sending. A low DMARC success rate is not always a sign of a critical problem if the failures are consistently attributed to unauthorized sources with poor authentication practices like 'nxdomain' or random subdomains. The most effective way to troubleshoot is to know your legitimate senders and their authentication status.
Therefore, if your primary sending domains and subdomains are already configured correctly with SPF, DKIM, and DMARC, and show 100% compliance for your own traffic, then these 'nxdomain' and random subdomain entries can be largely ignored from a direct impact perspective. They are simply evidence that DMARC is working as intended, showing you the extent of unauthorized use of your domain. You can learn more about how to troubleshoot DMARC failures for more insights.
Views from the trenches
Best practices
Ensure all legitimate email sending services are properly authenticated with SPF and DKIM and aligned with DMARC.
Start DMARC with a 'p=none' policy to gather reports and identify all legitimate email sources before enforcement.
Use a DMARC reporting tool to analyze aggregate reports, focusing on identifying legitimate failures rather than just overall volume.
Regularly review your DMARC aggregate reports to detect new sending sources or changes in authentication status.
Common pitfalls
Panicking over low DMARC success rates without analyzing the details of the failures (e.g., nxdomain, random subdomains).
Failing to monitor DMARC reports, leading to undetected legitimate email authentication issues.
Not progressing DMARC policy from 'p=none' to 'p=quarantine' or 'p=reject', leaving your domain vulnerable.
Overlooking third-party senders (CRMs, marketing platforms) that might not be properly authenticating.
Expert tips
Leverage DMARC forensic reports (RUA) for deeper insights into specific email failures, if available and configured.
Automate DMARC report processing to quickly identify anomalies and authentication issues.
Collaborate with your ESP or mail platform support to ensure their DMARC compliance for emails sent on your behalf.
Educate your team on DMARC basics to foster a shared understanding of email security practices.
Expert view
Expert from Email Geeks says DMARC failure simply indicates that someone unauthorized used your domain for email. Randomly generated subdomains usually point to regular spam runs, not targeted malicious attacks.
2021-03-10 - Email Geeks
Expert view
Expert from Email Geeks says 'nxdomain' in a DMARC report means the sending IP address lacks reverse DNS, a common characteristic of unauthenticated spam.
2021-03-10 - Email Geeks
Maintaining a strong email perimeter
A low DMARC success rate due to 'nxdomain' and random subdomains often indicates pervasive email spoofing attempts, which is exactly what DMARC is designed to detect. While it can seem alarming, these instances are typically the background noise of spam, not a direct DDoS attack on your infrastructure. The key takeaway is that these reports validate DMARC's effectiveness in revealing unauthorized use of your domain.
Your priority should always be to ensure that your legitimate email traffic is perfectly authenticated with SPF, DKIM, and DMARC. If your authorized emails are passing these checks consistently, then the 'nxdomain' and random subdomain entries are simply proof that your DMARC policy is successfully identifying and, if configured, blocking illegitimate traffic. This proactive stance is essential for maintaining strong email deliverability.
By understanding your DMARC reports and progressively moving towards a stricter policy like p=quarantine or p=reject, particularly with the sp tag, you can effectively mitigate the impact of spoofing attempts. This ensures that only authorized emails from your domain reach inboxes, safeguarding your brand and recipient trust.
Google indicated a significant volume of emails, around 1,380, were sent via an 'nxdomain' server name. What was particularly concerning was that the 'From' domain for these emails included a random string, like 'b7wvnjse. + our domain.' My immediate thought was, could this be a malicious DDoS attack, and how worried should I be?
