Email Security

Why Some Domains Are Heavily Spoofed While Others Are Safe

Alex Shakhov

March 24, 2025

Just realized I never raised a question about how bad actors decide which domain names to spoof.

I review DMARC reports quite often, and sometimes I see companies with 300-400 employees having no spoofing attempts, even with p=none and no reporting implemented.

At the same time, I see smaller companies with teams of just 1-5 people experiencing 100+ spoofed emails being distributed every day.

The first thing that comes to mind is that they might register on various websites / leave their emails on shady blogs, leading to email leaks.

But is there any correct answer? Anyone?

Get the free Email Deliverability Guide

15 rules for reaching the inbox. Used by 450+ organizations.

Download the Guide

More from the Blog

DNS query output for _dmarc.sh.consulting showing v=DMARC1; p=reject; np=reject; rua=mailto:sh@dmarc.sh; ruf=mailto:sh@dmarc.sh; fo=1:d:s with the new np=reject tag highlighted in purple. SH Consulting's production DMARC record deployed against the new RFC

Email Security

The New DMARC Standard (RFC 9989): What Changed and What to Update

May 27, 2026

DMARC just received its first major update since 2015. RFC 9989 replaces RFC 7489 with a new tag for non-existent subdomains, a DNS-based replacement for the Public Suffix List, and the removal of pct, rf, and ri. Most existing records still work — but one change is worth making this week.

Binary breakdown of 135.84.68.123/28 showing the /28 network's base IP is 135.84.68.112, not 135.84.68.123, illustrating why the host address is invalid as a CIDR network specifier in SPF records

Email Security

SPF permerror Under p=reject: The CIDR Bug Your Validator Won't Catch

May 20, 2026

Your SPF validates green. Your DMARC is at p=reject. And legitimate mail is bouncing inconsistently across receivers. The bug isn't in your DMARC — it's a single digit in your SPF that every public validator says is fine.

Cloudflare DNS management dashboard showing a CNAME record and a TXT record both at _dmarc, with the TXT containing v=DMARC1; p=none and the CNAME pointing to dmarc-r.dmarc.cc

Email Security

How Cloudflare DNS Silently Breaks DMARC When ESPs Auto-Deploy Through Entri

May 5, 2026

A specific combination of Cloudflare DNS, a CNAME-based DMARC delegation, and an ESP onboarding through Entri can silently bypass p=reject — leaving domains spoofable while every dashboard reports green. Here's how the conflict happens, how to detect it with dig, and how to fix it.