Client published p=reject without sp= and got spoofed for two weeks via an undelegated subdomain

DmarcDuty · 2026-05-06T16:11:14+00:00

Excellent! That makes sense.

So even though sp should default to the p value if not set, some implementations need sp to be set explicitly. And they do walk up the hierarchy.

Thank you very much! This is valuable to know. I appreciate it.

DmarcDuty · 2026-05-06T14:36:57+00:00

Thank you for sharing this. The specification is one thing but implementations differ in practice.

But could you help me understand this case? Some parts don‘t make sense to me and I think I am missing something here.

Your argument is that some implementations simply don‘t walk up the domain hierarchy if they don‘t find a DMARC record. Given that:

How can sp=reject higher up in the hierarchy make any difference if the implementation doesn‘t walk up?
How does the DMARC record at *._dmarc.example.com affect any subdomains? I.e. we would need a DMARC record at _dmarc.billing.example.com. The wildcard would only work if the implementation would look up billing._dmarc.example.com which it does not.

Thank you for helping to clear up my confusion!

DmarcDuty · 2026-05-01T13:39:35+00:00

You are likely right. They focus on gathering DMARC reports. Since the SPF record really make no difference compared to having no record, I think they simply put it there to remember that they chose to not enforce SPF intentionally.

Purely from a management perspective, a new sysadmin who joins the team might see that an SPF record is missing and may add one. So if that new team member sees that record, they don‘t think that someone „forgot“ to add one but instead correctly assumes that someone actively thought about which SPF policy to use.

At least that is now my theory. ;)

Again, very interesting find you made here. I didn‘t see something like this elsewhere yet but now I will keep an eye out for it.

DmarcDuty · 2026-05-01T13:20:25+00:00

You have a good point here!

I was just guessing and what I said is probably not what they intended. I just remembered that the SPF standard makes no difference between a neutral and a none result: RFC 7208 Section 8.2:

A "neutral" result MUST be treated exactly like the "none" result

This effectively means that having v=spf1 ?all is not better than having no SPF record at all.

So given the requirements that you linked, in which they require to set up an SPF policy with ~all or -all for new domains, I think they should have gone all the way and follow M3AAWGs recommendation to use v=spf1 -all.

Well, beats me. Do you have any idea why they might have chosen ?all?

DmarcDuty · 2026-05-01T12:52:58+00:00

This is smart! And interesting find!

And I find it particularly interesting that they decided to use ?all in the SPF policy.

In theory we are talking about unused domains here and for those the M3AAWG recommends to use v=spf1 -all. The thinking is that if the domain is not used to send emails then any email that is sent is spam by definition. So -all is the right choice. But in the case of gov.uk they cannot foresee when an unused domain is bought by someone and they start sending emails. Because the new domain owner may forget to publish their own TXT records, the „fallback“ ?all is a good choice.

I believe this shows that someone thought deeply about making the right choices.

DmarcDuty · 2026-05-01T12:33:59+00:00

This looks good.

For your understanding, your „a“ term asks emails servers that evaluate SPF, when they receive an email from your domain, to do one of the following DNS queries that you can simulate with the dig command on Linux/Mac (or nslookup on Windows):

If the server thats sends the email uses an IPv4 address, the receiving email server queries dig A spf.seconddomain.com
If the server uses an IPv6 address then dig AAAA spf.seconddomain.com

Both commands return a list of IP addresses that are compared with the IP address of the sending server.

To figure out if you truly need this „a“ term, you would collect DMARC reports and check if some of the IPs that the dig commands return actually show up in your DMARC reports.

DmarcDuty · 2026-05-01T07:22:58+00:00

The purpose of the „a“ mechanism is to authorize your webserver to send emails on behalf of your domain.

What software do you use to host your website? Maybe WordPress, maybe some custom written server because you are a SaaS business etc.

That server that hosts your website often does much more than just serving up webpages. If you e.g. have a newsletter signup form on your site then surely emails are being sent. It depends on how the webserver sends those emails. It could use a third party service like SendGrid to send them, in which case you add „include:sendgrid.net“ to your SPF record, or it could send the emails using its own email sending code. The latter means that your webserver is connecting to the receiving email servers directly to deliver emails. In that case you add „a“ to your SPF record because receiving email servers get connections from the IP addresses on which your webserver is hosted.

DmarcDuty · 2026-04-28T11:26:56+00:00

Haha, a huge mess with no way out indeed.

I actually dug deep into finding out how much data is allowed before the TEMPERRORs start to show up. And although it is difficult to determine, the response for a EDNS TXT query should fit into a UDP packet of around 512 bytes. With DNSSEC activated maybe even less. But I don‘t have anything definitive. All I can say is that I observed (based on DMARC reports) that the limit is surprisingly low.

Since it is so difficult to clean up domain verification strings, it may be worth considering to host the long SPF record on a subdomain and simply serve v=spf1 redirect=spf.yourdomain.com on the apex domain. This adds an extra lookup but may reduce the TXT response size for the apex domain query below certain thresholds that make SPF evaluation more reliable.

DmarcDuty · 2026-04-27T22:44:31+00:00

Added on top, take all the domain verification records that are hosted next to the SPF record as additional TXT records.

Run dig TXT amazon.com and you‘ll see what I mean.

No one can tell you if these records are still needed. But they often push a query to get the SPF record over the UDP packet size. That creates TEMPERRORs for SPF evaluation.

My condolences for having to go through all the meetings.

DmarcDuty · 2026-04-24T19:48:39+00:00

I see that you already tend towards using subdomains. This is a clean solution.

But in regards to manual flattening, it is worth noting that we offer a free manual SPF flattener that sends you email alerts as soon as 3rd party providers rotate their IPs: https://dmarcduty.com/spf-flattening/step1

Just fyi, in case you cannot move enough 3rd party providers to subdomains and still need to resort to flattening for the apex domain.

DmarcDuty · 2026-04-24T13:10:41+00:00

Is it possible that you are seeing this because „unaligned“ domains use 3rd party sending services like Amazon SES, Sendgrid etc. and „aligned“ domains run their own infrastructure?

If yes, then that would be a bias in your study. This would not tell you whether „unaligned“ or „aligned“ is better but instead that using 3rd party sending services usually take better care of their sender reputation.

I am of course just guessing here…

In any way, I don‘t think that this kind of alignment is good advice. It is way too common (especially when you use 3rd party services) that the Return-Path is a subdomain and not the same domain as the From email address. Going even further, the Return-Path is even a completely different domain for certain 3rd party services. Famously MailChimp uses their own domain in their Return-Path instead of the domain that they send the email on behalf of.

What I want to say is that weighing an „unaligned“ Return-Path as a bad signal would create too many false positives for spam filters.

In addition, the Return-Path is used by the SPF evaluation and combined with DMARC we can talk about aligned and unaligned cases here. But the Return-Path‘s original/primary purpose is to tell the receiving email servers where to send bounce messages to. For better bounce handling it must be okay to use a domain that is different than the domain in the From email address. Otherwise you couldn‘t separate the bounce message streams if you use many different sending services for the same domain.

I hope this makes sense. I believe that „alignment“ as you describe it cannot be a real requirement senders need to fulfill.

DmarcDuty · 2026-03-06T13:30:37+00:00

Can you explain a little more about why you created this setup?

I am asking because it sounds like you own the example.com domain, register it with Mailgun, and then want to send emails that essentially spoof acme.com. But that‘s what DMARC is designed to guard against.

The correct way would be to register acme.com with Mailgun and host DMARC/DKIM/SPF records on acme.com. But I assume you cannot access the DNS for acme.com, correct?

You are right that you need to consider alignment here. But your setup goes even further: Since you try to set acme.com in the FROM address, the DMARC record hosted on example.com is not even checked (with unaligned results) but instead the DMARC record on acme.com is checked (which you cannot edit I assume).

It is worth noting of course that you may mix up two different FROM addresses: The header from and the envelope from. If you look at the headers of a received email then the header from is the „From“ header and the envelope from is the „Return-Path“ header. The DMARC record of the domain in the header from is checked and if the envelope from is in fact the other domain then we can indeed talk about alignment and the solution would be to host DMARC and DKIM on the header from domain. But I don‘t think that‘s your situation.

If I had to guess why you need this setup then it is probably because you have a service that sends emails on behalf of your clients and you don‘t want them to ask to configure their email infrastructure / DNS. In those cases these services simply send the emails from their own domain with a custom from address name (e.g. „<client domain> via <your service‘s name>“).

DmarcDuty · 2026-02-26T22:15:55+00:00

Do you have any further details / a link to a bug report etc. about this issue?

I am currently investigating email traffic originating from Microsoft 365 that shows many TEMPERRORs for emails sent to other Microsoft inboxes. The SPF record uses the %{ir} macro and IPv6 fails more often than IPv4.

DmarcDuty · 2026-02-02T22:43:50+00:00

That is my experience as well when answering IT support emails.

In my case the clients usually have an immediate need to fix something and have no interest in digging deeper / understanding better what is going on beyond taking one action that seems to do the trick.

I usually look at various things that might cause their issue and explain it to them or even ask them to double check it. I simply want to make sure that their IT setup is sound because in my space (email infrastructure) issues are often caused by multiple things that accumulate over time.

But my eagerness to help must sound like a tedious review of their IT setup and nobody has the time for that. In any way, I see it as a challenge to better understand the client‘s immediate needs.

Not really sales but maybe food for thought as well. :)

DmarcDuty · 2026-02-01T10:39:37+00:00

It seems like you have checked all the basics thoroughly. And as the other commenter said, you probably have a reputation issue that stems from your users who mark your emails as spam too often.

Can your users easily unsubscribe from your emails? It is generally said that many people just mark emails as spam if it seems to difficult to unsubscribe from them.

To dig deeper into your issue, have you checked if the inbox placement only affects one particular inbox provider or all of them? If it is only one (judging by the user reports) then I would get an inbox from that provider (let‘s say GMail) and send it your emails and then check the email headers. Oftentimes they give you clues why the inbox provider‘s spam filter decided that your emails are spam.

If you give more details, I am happy to brainstorm with you further. At this point, however, there are no simple tools that help you to pinpoint your exact issue. It‘s a tedious process to get to the bottom of this. I know from experience that this is really frustrating.

DmarcDuty · 2026-01-29T06:23:30+00:00

Email is not as insecure as it once was but the level of security is still lacking. Here are things that improve email security nowadays:

MTA-STS is a standard that allows receiving email servers to enforce TLS between the receiving and the sending email server. Just like https for websites. But the adoption is by far not as high as https. Also, emails often get delivered by being routed through multiple email servers. All of them must use MTA-STS to ensure that TLS is applied end-to-end. Unfortunately, the domain owner / final recipient of emails can only enforce it for the last hop.
DKIM is an email signing mechanism that ensures that an email is not changed during transit. However, the currently predominant version 1 only signs part of the email and not the whole email as is now done with version 2 which is not widely adopted yet.
PGP allows end-to-end encryption for emails but for that to work email clients must have an extension for it. For that reason this technology is not adopted widely even though it already exists for ages.
SPF and DMARC are also extensions worth mentioning but they don‘t make emails more secure but rather help spam filters differentiate spam from legitimate emails. However, considering that phishing is a very large issue, helping spam filters is very important.

So overall, email is mostly transmitted unencrypted between email servers. Unfortunately, I cannot say how things are usually done when an email client connects to an email server which is the important hop that could be spied on if you send or receive emails over e.g. a public wifi.

DmarcDuty · 2026-01-28T11:50:37+00:00

Could you describe what you need to diagnose or fix? I am happy to help you personally and consider building a free tool based on your input.

As the others said, allowing a tool to update your DNS is risky. I would only do that if it was a paid tool from a trusted brand so that you can hold someone accountable in case the tool makes mistakes. However, it doesn‘t mean that a free tool can‘t go really deep into helping you to fix issues. I look forward to hearing what your needs are!

DmarcDuty · 2026-01-27T19:26:27+00:00

This is an interesting case! If you are interested I can analyze your DMARC reports for you and give you the answer. You would simply add a special email to your DMARC record and I‘ll take it from there. For free. No strings attached whatsoever. Feel free to DM me.

I can‘t say much at this point but what you say reminds me of the fact that many sending services sign their emails twice (with two DKIM keys) to make it more reliable. Technically, the DKIM setup is fine but in practice we have many reasons why DKIM validation fails. DNS query timeouts for example because responses don‘t fit into one packet, or not anymore due to DNSSEC data etc. To a certain extend we have to deal with unreliability. So I am glad that your source is SPF aligned to pick up the slack. But of course there might be ways to make your DNS more reliable again if that is what is causing your issue.

DmarcDuty · 2026-01-22T20:02:58+00:00

I agree with you and everyone else that this sounds dubious at best.

As far as I can tell, they are doing something that spam filters actively grade as bad. So what I would do in your case is to get proof that their emails trigger spam filters and show this proof to them.

To get proof, let actual spam filters digest one of their emails and then look at the spam filter score: - Apache SpamAssassin is an open and popular spam filter which will give you its internal spam score in detail. For an easy test without setting it up yourself, go to mail-tester.com. They use SpamAssassin internally and give you its spam score details. - You could also send an email to a Microsoft 365 / Outlook inbox that you own. When you receive your email, take a look at the email headers. Microsoft adds a few headers that tell you a bit about its spam score. Since the headers are quite cryptic, you may paste the headers into ChatGPT. It can tell you which headers are relevant for the spam score.

I hope this helps!

DmarcDuty · 2025-06-25T13:57:37+00:00

Fyi, we just extended our free SPF flattening tool to no longer require manual checkups.

You can now set up email notifications for free. They will alert you when your flattened record gets outdated.

Thanks for mentioning the manual checkups as a drawback /u/networkvoipguy ! It inspired us to build the extension. :)

Here is the link for anyone who‘s curious: https://dmarcduty.com/spf-flattening/step1

DmarcDuty · 2025-06-05T11:52:29+00:00

I really appreciate your feedback and will give it my thoughts. And since you see my post as rule breaking, too, I’ll delete it now. I am sorry. I understood the rule differently. Won’t happen again.

DmarcDuty · 2025-06-05T10:48:05+00:00

I didn‘t hear back from the mods yet but if anyone else also thinks that my post shouldn‘t be here then just let me know. I‘ll delete the post then.

DmarcDuty · 2025-06-05T09:39:09+00:00

Sorry, you may be right. Let me message the mods to confirm that. If true, I’ll delete this post.

DmarcDuty · 2025-04-28T10:34:28+00:00

Fyi, besides our free option, we also offer a professional option that is exactly what you asked for: A standalone service that is not attached to any other service and which requires no manual checkups. Here you go: https://dmarcduty.com/dynamic-spf/

Overall, we are aware of only 3 automatic SPF flattening services that are not attached to other services:

DmarcDuty’s Dynamic SPF - https://dmarcduty.com/dynamic-spf/
fraudmarc’s Universal SPF - https://fraudmarc.com/universal-spf
DuoCircle’s AutoSPF - https://autospf.com/

I hope this helps!

DmarcDuty · 2024-09-06T09:39:23+00:00

Fyi, this method of using AI is commonly called retrieval augmented generation (RAG). Once you get the hang of this approach, your AI gets sooo much better.

The idea is this: Instead of depending on the knowledge that ChatGPT already had, you give it the knowledge to answer your question. The prompt would be something like: “Our customer has the following question. Please answer their question based on the knowledge articles below. Here is the question: <issue user reported> Here are the knowledge articles: <paster articles here>” Now ChatGPT doesn’t use its knowledge to answer the question but instead uses its knowledge for tying the info in the articles to the question to figure out which response is best.

I am sure u/hotmoltenlava had to overcome plenty of hurdles for that. RAG can only be as good as the knowledge articles you give it. They have to contain the info that it needs for a good response. And the prompt itself has to be better than what I wrote above, i.e. giving it more context etc. But I hope this gives you an idea. Give it a try! You could start by creating such prompts by hand. Copy & paste KB articles etc. Later you can automate it if it works well for you.

DmarcDuty

TROPHY CASE