The Overlooked Records That Let Attackers Impersonate You

Somewhere in your domain’s DNS settings sit a handful of text records that most business owners have never looked at and could not explain if asked. SPF, DKIM and DMARC are unglamorous, easy to configure incorrectly, and directly responsible for whether someone across the world can send an email that looks exactly like it came…

Somewhere in your domain’s DNS settings sit a handful of text records that most business owners have never looked at and could not explain if asked. SPF, DKIM and DMARC are unglamorous, easy to configure incorrectly, and directly responsible for whether someone across the world can send an email that looks exactly like it came from your finance director. Getting them wrong costs nothing to notice and everything to ignore.

Three records, one enormous gap when missing

SPF tells receiving mail servers which servers are allowed to send email on your domain’s behalf. DKIM adds a cryptographic signature that proves a message was not altered in transit. DMARC ties the two together and tells receiving servers what to do when a message fails those checks, whether to quarantine it, reject it outright, or let it through anyway. When any one of these is missing or misconfigured, an attacker can send a message that appears to come from your own domain and land it directly in a customer’s inbox, with none of the usual warning signs recipients are taught to look for.

A proper review as part of external network pen testing checks not just whether these records exist, but whether they are configured strictly enough to actually block spoofed mail rather than merely flagging it. A great many domains have a DMARC record present that is set to take no action at all, which offers essentially the same protection as having no record whatsoever, while giving the business a false sense that the matter has already been handled.

The Overlooked Records That Let Attackers Impersonate You — Aardwolf Security

Impersonation is cheaper than hacking, and often more effective

Attackers who spoof a trusted domain do not need to breach any of your systems at all. They send an invoice-looking email from what appears to be your own accounts department, or a message from your managing director asking for an urgent payment, and they rely entirely on the recipient’s trust in the sender address. Properly configured email authentication removes that option almost completely, forcing the attacker onto far noisier and more detectable methods that are considerably easier for staff to spot and report.

William Fieldhouse describes this as one of the highest-value, lowest-effort fixes he encounters.

“I reviewed a client’s domain last year and found DMARC set to a policy that monitored spoofed mail without actually blocking any of it. Meanwhile their finance team had already paid out against two fraudulent invoices sent from a lookalike version of their own domain. Fixing the record took an afternoon. The fraud had already cost them five figures.”

— William Fieldhouse, Director of Aardwolf Security Ltd

Five figures lost to a DNS record left at its default setting is a genuinely common story, not an outlier. These records get created once during initial domain setup, often by whoever configured the mail server years earlier, and then nobody revisits them until something goes wrong. In the meantime the business assumes email security is somebody else’s problem, handled invisibly by the mail provider, when in fact nobody has actually checked the configuration in years.

Check the records before someone else exploits them

Reviewing SPF, DKIM and DMARC takes far less time than recovering from the fraud that follows their absence. Confirm all three are in place, set DMARC to actually enforce rather than merely observe, and check the configuration whenever you change mail providers or add new sending services. A penetration testing quote should always include this check as standard. Contact Aardwolf Security to have your domain’s email defences reviewed properly.

Share:

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest News

View All

About the Author

Easy WordPress Websites Builder: Versatile Demos for Blogs, News, eCommerce and More – One-Click Import, No Coding! 1000+ Ready-made Templates for Stunning Newspaper, Magazine, Blog, and Publishing Websites.

BlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block Editor