VulWall Team April 1, 2026 4 min read

Email Domain Not Protected Against Impersonation

Your domain has a DMARC record, but it's set to 'monitor only' — meaning it watches for suspicious email activity but takes no action to stop it. Anyone can currently send emails that appear to come from your domain, and those emails will land in recipients' inboxes unchallenged. Think of it like having a security camera but no lock on the door.

OWASP A05 Effort: small Exploitable
dmarc email-spoofing dns phishing misconfiguration compliance pci-dss

Business Impact And Actions

medium urgency

Business Impact

Criminals can send phishing or scam emails that look like they're from your company — targeting your customers, partners, or employees. This can damage your brand reputation and erode customer trust if recipients receive fraudulent emails appearing to be from you. There are also compliance implications: PCI DSS v4.0 now requires DMARC enforcement for businesses handling payments, and major email providers like Google and Yahoo have mandated DMARC policies for bulk senders. Failing to upgrade your policy could also affect your email deliverability over time.

What To Do

  1. Ask your developer or IT person to review your DMARC reports (you should already be receiving them if 'rua=' is set in your record) to identify all legitimate email senders using your domain.
  2. Once legitimate senders are confirmed, ask your developer to upgrade the DMARC policy from 'p=none' to 'p=quarantine' — this is a small DNS change that takes under 30 minutes.
  3. Plan to move to 'p=reject' within 30–90 days once you've confirmed no legitimate emails are being caught — this gives you the strongest protection.
  4. If you use email marketing tools like Mailchimp, Salesforce, or HubSpot, ask your developer to verify those services are properly authenticated under your domain before tightening the policy.

DMARC Policy Set to p=none — No Enforcement Against Domain Spoofing

medium severity CVSS 5.3-6.5

Vulnerability Explanation

The domain's DMARC record uses p=none, which instructs receiving mail servers to take no action on emails that fail SPF and DKIM authentication checks. While aggregate reports are generated (if rua= is configured), unauthenticated emails claiming to originate from this domain are delivered normally to recipients' inboxes. This means the DMARC record provides visibility but zero enforcement — a spoofed email using this domain will pass through to the inbox of any recipient whose mail server honors the p=none policy.

Root Cause

DMARC's p=none mode is intentionally designed as a monitoring-only phase for initial deployment. The root cause of this finding is that the policy was never graduated to an enforcement mode (p=quarantine or p=reject) after the monitoring phase. This is extremely common — as of 2024, the majority of domains with DMARC records remain stuck at p=none.

Technical Impact

An attacker can send emails with a forged From: header using this domain. With p=none, receiving mail servers will deliver these messages to the inbox without any DMARC-triggered filtering. This enables phishing attacks against customers, partners, and employees; Business Email Compromise (BEC) fraud; and brand impersonation campaigns. The attacker requires no access to the target's infrastructure — only a mail server and a spoofed From: address.

Severity Justification

Network-accessible, no authentication required, and no user interaction needed by the attacker. However, exploitability depends on recipient mail server behavior and the presence of other anti-spam controls. Many modern mail providers apply heuristic spam filtering that may catch some spoofed emails even without DMARC enforcement, reducing real-world impact somewhat. Rated medium rather than high due to these mitigating factors.

Affected Components

  • DMARC DNS TXT record — all versions with p=none

Remediation Steps

  1. Confirm your DMARC aggregate reports (rua=) are being received and review them to identify all legitimate sending sources (your ESP, CRM, marketing tools, etc.). Tools like MXToolbox, dmarcian, or Google Postmaster Tools can help parse these reports.
  2. Verify that all legitimate senders are correctly configured with SPF and DKIM alignment for your domain. Third-party senders like Mailchimp, HubSpot, or Salesforce must authenticate using your domain, not their own.
  3. Update your DMARC DNS TXT record to p=quarantine with a low percentage (pct=10) to begin enforcement gradually: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=quarantine
  4. Monitor reports for 2–4 weeks. If no legitimate mail is being quarantined, increase pct to 50, then 100.
  5. Once pct=100 with p=quarantine is stable, upgrade to p=reject for maximum enforcement: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject

Verification Steps

  1. Run a DNS lookup to confirm the updated record: dig TXT _dmarc.yourdomain.com or use https://mxtoolbox.com/dmarc.aspx
  2. Use an online DMARC validator (e.g., https://dmarcian.com/dmarc-inspector/) to confirm the policy value is quarantine or reject
  3. Send a test email from an unauthorized source and verify it is quarantined or rejected by the receiving server
  4. Check DMARC aggregate reports 24–48 hours after the change to confirm the new policy is being applied and no legitimate mail streams are failing

Code Examples (dns)

Vulnerable
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Fixed
# Step 1 — Gradual enforcement (start here)
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com; sp=quarantine

# Step 2 — Full quarantine (after 2-4 weeks of monitoring)
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; sp=quarantine

# Step 3 — Maximum enforcement (target state)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject

Best Practices

  • Always configure the rua= tag to receive aggregate reports — you cannot safely enforce DMARC without visibility into your sending sources.
  • Set the sp= (subdomain policy) tag explicitly to match your main policy, otherwise subdomains may default to p=none and remain unprotected.
  • Use the pct= tag to roll out enforcement gradually — this reduces the risk of blocking legitimate mail during the transition.
  • Rotate DKIM keys periodically and audit your SPF record to remove stale or unused sending sources.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base