What are the issues with DMARC service companies and cousin domains?

Summary

The compilation of responses reveals several critical issues regarding DMARC service companies and the management of cousin domains. Some DMARC providers engage in unethical practices, such as scraping websites for email addresses and sending unsolicited emails, which ironically undermines the purpose of DMARC. Unsecured cousin domains pose significant security risks, as they can be exploited for brand impersonation and phishing attacks. Implementing strict DMARC policies without proper configuration or alignment can inadvertently block legitimate emails from cousin domains, impacting deliverability and business communication. Furthermore, managing DMARC across a diverse portfolio of domains, particularly with multiple teams or vendors involved, presents challenges due to inconsistent policies and a lack of visibility and control. Regular monitoring of DMARC reports is essential to detect and address these issues promptly. Overall, the effective management of DMARC and cousin domains requires ethical service providers, consistent policies, careful configuration, and continuous monitoring to maintain email security and deliverability.

Key findings

  • Unethical Scraping: Some DMARC service providers use unethical practices like scraping websites for email addresses and sending spam.
  • Cousin Domain Exploitation: Unsecured cousin domains are susceptible to brand impersonation and phishing attacks.
  • Inadvertent Blocking: Strict DMARC policies can unintentionally block legitimate emails from cousin domains if not properly configured.
  • Management Complexity: Managing DMARC across multiple domains with different teams or vendors leads to inconsistent policies and a lack of control.
  • Monitoring Deficit: Failure to regularly monitor DMARC reports results in undetected issues and potential email blocking.

Key considerations

  • Vendor Due Diligence: Conduct thorough due diligence when selecting DMARC service providers to avoid those with questionable practices.
  • Consistent Policies: Establish consistent DMARC policies across all domains, including cousin domains and subdomains, to maintain uniformity.
  • Careful Configuration: Configure DMARC policies meticulously to prevent inadvertently blocking legitimate emails from related domains.
  • Centralized Control: Implement centralized management for DMARC across all domains to ensure consistent enforcement and oversight.
  • Continuous Monitoring: Actively and continuously monitor DMARC reports to promptly identify and address any issues related to cousin domains or policy misconfigurations.

What email marketers say
7Marketer opinions

Several issues arise with DMARC service companies and the management of cousin domains. Some DMARC service providers engage in aggressive scraping techniques to find email addresses, leading to spam and reputation damage. Cousin domains, if not properly secured with DMARC, can be used for brand impersonation and phishing attacks. Enforcing strict DMARC policies without careful configuration can inadvertently block legitimate emails from cousin domains, impacting domain reputation and deliverability. Managing DMARC across multiple domains, especially when different teams or vendors are involved, poses challenges due to inconsistent policies. Actively monitoring DMARC reports across all domains is crucial to catch issues early and prevent email blocking.

Key opinions

  • Aggressive Scraping: Some DMARC service providers use aggressive scraping techniques for email addresses, leading to spam.
  • Brand Impersonation: Unsecured cousin domains can be used to impersonate brands, increasing phishing risks.
  • Inadvertent Blocking: Strict DMARC policies can block legitimate emails from cousin domains if not properly configured.
  • Management Challenges: Managing DMARC across multiple domains with different teams can lead to policy inconsistencies.
  • Lack of Monitoring: Failure to actively monitor DMARC reports results in missed issues and potential email blocking.

Key considerations

  • Due Diligence: Perform due diligence when selecting DMARC service providers to avoid those with questionable practices.
  • Consistent Policies: Ensure consistent DMARC policies across all domains, including cousin domains and subdomains.
  • Careful Configuration: Configure DMARC policies carefully to avoid inadvertently blocking legitimate emails from related domains.
  • Centralized Management: Implement centralized management for DMARC across all domains, even if different teams are responsible.
  • Active Monitoring: Actively monitor DMARC reports to identify and address issues related to cousin domains promptly.
Marketer view

Email marketer from StackExchange explains that DMARC enforcement, particularly with a 'reject' policy, can inadvertently block legitimate emails if cousin domains or subdomains aren't properly configured. This impacts domain reputation.

March 2023 - StackExchange
Marketer view

Email marketer from dmarcian explains that managing DMARC across a portfolio of domains (including cousin domains) can be challenging, especially if they're managed by different teams or vendors. This can lead to inconsistent policies and increased vulnerability to attacks.

February 2023 - dmarcian
Marketer view

Email marketer from Litmus shares that actively monitoring DMARC reports across all your domains is essential to catch issues early. If you're not paying attention, you may not realize there's a problem with cousin domains until it's too late and emails are being blocked.

July 2024 - Litmus
Marketer view

Email marketer from EmailVendorSelection.com explains that DMARC setups are often abused by less-than-reputable email marketing companies. They emphasize the importance of due diligence when working with vendors who manage your DMARC.

May 2024 - EmailVendorSelection.com
Marketer view

Email marketer from Reddit explains that some DMARC service providers may use aggressive scraping techniques on websites to find email addresses, and then spam them, potentially affecting the reputation of the client whose DMARC they manage.

April 2021 - Reddit
Marketer view

Email marketer from Mailjet shares that cousin domains and subdomains should be treated with the same caution as top-level domains when considering DMARC implementation. Inconsistencies across domains/subdomains can lead to deliverability issues.

February 2025 - Mailjet
Marketer view

Email marketer from SparkPost shares that cousin domains, if not secured with DMARC, can be used to impersonate your brand. This damages trust and leads to a higher risk of phishing attacks targeting customers. This necessitates careful DMARC monitoring across the entire domain landscape.

July 2023 - SparkPost

What the experts say
3Expert opinions

The provided answers highlight several issues related to DMARC service companies and their interaction with cousin domains. Some DMARC service companies engage in practices such as scraping websites for email addresses and sending spam without proper unsubscribe mechanisms. This practice is ironic when these companies also use cousin domains to bypass spam filters, even implementing a p=reject policy on those domains. Conversely, a DMARC policy of p=reject on marketing domains can ensure that only legitimate email is sent. These practices have implications for deliverability and reputation.

Key opinions

  • Scraping and Spam: DMARC service companies may scrape websites for email addresses and send spam without proper consent.
  • Cousin Domain Abuse: Cousin domains can be used by DMARC companies to bypass spam filters, even with a p=reject policy in place.
  • p=reject Benefits: A DMARC policy of p=reject on marketing domains helps ensure only legitimate email is sent.

Key considerations

  • Ethical Practices: DMARC service companies should adhere to ethical practices regarding email address acquisition and sending.
  • Domain Reputation: Consider the impact of using cousin domains on domain reputation and deliverability.
  • Policy Enforcement: Implement and enforce appropriate DMARC policies (e.g., p=reject) on marketing domains to improve email authentication.
Expert view

Expert from Email Geeks explains a DMARC service company scraped websites for addresses and spammed them without unsubscribe links or postal addresses. They highlight the irony of a DMARC company using a cousin domain to avoid getting blocked for spamming, even though the cousin domain had a p=reject policy.

May 2022 - Email Geeks
Expert view

Expert from Word to the Wise explains that some DMARC service companies scrape websites for email addresses to expand their reach, often without proper consent or unsubscribe mechanisms, which can negatively impact the reputation of both the service and the domains involved.

October 2022 - Word to the Wise
Expert view

Expert from Email Geeks confirms that the marketing domains use a DMARC policy of p=reject, ensuring that only real mail on behalf of the company is sent.

October 2022 - Email Geeks

What the documentation says
5Technical articles

The provided documentation and expert opinion highlight key issues with DMARC management concerning cousin domains. Without proper management, cousin domains can be spoofed for phishing, harming the primary domain's reputation and overall security. Lack of visibility and control over indirectly managed domains can cause problems, emphasizing the need for regular audits. Poorly implemented DMARC policies, especially with 'reject' settings and alignment failures, can block legitimate emails. Domain alignment issues between parent and cousin domains, coupled with strict policies, can lead to legitimate emails being blocked.

Key findings

  • Spoofing Risk: Cousin domains without proper DMARC management can be spoofed for phishing attacks.
  • Lack of Visibility: DMARC implementation can be problematic due to a lack of visibility and control over cousin domains.
  • Blocking Legitimate Emails: Poorly implemented DMARC policies can inadvertently block legitimate emails from cousin domains.
  • Alignment Issues: Domain alignment issues between parent and cousin domains can cause emails to be blocked.

Key considerations

  • Careful Management: Carefully manage DMARC policies across all related domains, including cousin domains.
  • Regular Audits: Conduct regular audits and monitoring of DMARC reports to maintain visibility and control.
  • Gradual Implementation: Implement DMARC policies gradually, especially when using 'reject' settings.
  • Domain Alignment: Ensure proper domain alignment between parent and cousin domains to avoid blocking legitimate emails.
Technical article

Documentation from Google shares that failing to properly manage DMARC records on related domains (cousin domains) leaves you susceptible to domain spoofing and phishing attacks. This compromises the overall security posture of your organization.

July 2023 - Google
Technical article

Email marketer from ReturnPath explains that domain alignment issues in DMARC can occur between parent domains and subdomains/cousin domains. If your DMARC policy is configured to be strict, and alignment fails for these other domains, your emails may be blocked, even if they are legitimate.

January 2023 - ReturnPath
Technical article

Documentation from RFC Editor explains that a poorly implemented DMARC policy, especially one using a reject setting without proper alignment, can block legitimate emails from cousin domains, leading to loss of business and customer communication. They recommend a gradual implementation strategy.

April 2023 - RFC-Editor.org
Technical article

Documentation from DMARC.org explains that without proper management, cousin domains using DMARC can be spoofed to send phishing emails, affecting your primary domain's reputation. They recommend carefully managing DMARC policies across all related domains.

November 2024 - DMARC.org
Technical article

Documentation from Microsoft responds that DMARC can cause problems with indirectly managed domains (cousin domains) due to a lack of visibility and control. Microsoft recommends regular audits and monitoring of your DMARC reports.

November 2023 - Microsoft