Trusted email security expert | improve your email security in 2025

+1 (323) 955 1390

Email Impersonation Protection for Unused Email Domains

by

Rob Walton
in , ,

Protect Unused Email Domains Against Cyber Attack

Organizations usually own a large number of email domains, for brand protection reasons. But only use a subset of those email domains for their mailboxes. It is recommended to protect unused email domains as part of your overall cyber security.

Typically any email security measures are only applied to the email domains being used. This means the unused email domains can be at risk of being subject to cyber attack.

SPF, DKIM, DMARC Protection

Hopefully your main email domains are already protected by SPF, DKIM, and DMARC (reject mode). And by an effective anti-spam and anti-phish policy. An example might be widgets.com .

However if you also own the public DNS name widgets.org but do not use it, then this may be vulnerable for an impersonation attack. This is because it may lack the full SPF, DKIM, DMARC and DANE protection.

Email Impersonation Attack

A bad actor may choose to impersonate John Smith who has a primary email address of [email protected] . If widgets.org has no SPF protection then it will take 2 minutes to send an email from [email protected] to any of your customers.

If John Smith’s main user account was able to be compromised as well, then a man-in-the-middle attack may succeed in causing financial and/or brand damage.

Check out this relevant article from office365migrate.com covering SPF, DKIM, and DMARC protection.

Protect Unused Email Domain Names

On many email security protection projects I commonly find unused email domains within the DNS Registrar that are not used for daily email purposes. And these email domains often have no SPF record, which means anyone can send an email using that email domain.

They can then send an email to one of your customers and launch an impersonation attack vector which can develop into a serious cyber breach. The exact steps to do that are not published here. One of my customers lost $300,000 USD through such a breach.

Summary | Protect Unused Email Domains

Contact me today to arrange an expert review of your email security and what can be done to ensure you are maximizing your protection against cyber attack.

If you need consulting help to migrate your email system to Office 365 to make better use of SPF, DKIM, and DMARC protection – then we recommend the team at office365migrate.com.

Table of Contents

    Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *