Using SPF and DMARC records to combat invalid email subdomains


I have been able to confirm that bad actors are sending emails from nonexistent subdomains of my company’s primary domain.

Let’s say my primary domain is foo.com. Email is sent from that base domain from my own mail system. Due to partnerships with a helpdesk provider, a e-commerce (storefront) company, and a CX/NPS provider, I also have three valid unique subdomains from which email comes from each (shop.foo.com, support.foo.com, and feedback.foo.com.

I have full DMARC w/ DKIM for all 4. With the invaluable assistance of DMARCian (a DMARC report aggregation & reporting service), I have confirmed that there are several sources of recurring email from other subdomains – ones that do not exist. For example, some unauthorized and unknown entity in VN is sending email from news.foo.com & enews.foo.com. Another source is sending from sales.foo.com. This last one is particularly of concern because the content of the few emails from this bad actor we’ve been forwarded is quite damaging to my company (we think it’s a foreign competitor in our fierce niche market behind it).

Unfortunately, my current DMARC polices are either monitor or quarantine; I can’t use a reject policy (that’s another battle.)

I am considering creating SFP & DMARC records for these nonexistent subdomains, with no allowed senders and a reject policy.

I’m not sure how effective this would be though. I also cannot think of any drawbacks, other than a bit of extra work to set it up and then maintain it when the bad actors start using different bogus subdomains. We’re always one step behind the bad guys, eh?

So… are there any drawbacks to what I am considering doing that I have not thought of? And do you think it’s worth the effort? Or is there a better approach to dealing with these bogus subdomains?