Guide
Email Brand Protection: DMARC, Typosquats, and Subdomain Security
Your domain is your brand's most important asset online. Attackers can spoof it for phishing, register lookalike domains, or take over subdomains. Here's how to protect all three attack surfaces.
Brand protection is not a single product — it is DMARC enforcement, monitoring for lookalike domains, and cleaning up DNS attack surface. This guide covers spoofing defense, typosquats, and dangling subdomains. Terms: typosquatting, subdomain takeover, email spoofing. If you only fix one channel this quarter, pick DMARC alignment — it raises the cost of spoofing at scale.
Security awareness training helps employees spot phish; DMARC and DNS hygiene stop messages from looking legitimate in the first place. Combine both — neither replaces the other.
The three brand attack surfaces
Spoofing — forged From: on your domain. Typosquats — register lookalike domains for phishing. Dangling subdomains — host content on your namespace via forgotten CNAMEs.
Stopping domain spoofing with DMARC
Publish SPF and DKIM aligned to your From domain, then move DMARC to p=reject. That removes spoofed mail that fails alignment at participating receivers. Full playbook: DMARC guide.
Spoofing volume often drops in reports before users notice fewer phish — track both metrics. When spoof attempts approach zero and legitimate mail stays aligned, you have evidence for auditors and executives that the control works.
Finding lookalike domains
Run DomainPreflight Typosquat Monitor — 30–50 variants via live DNS. Decide which to register defensively. Incidents: typosquat phishing domains.
Subdomain takeover risk
Audit CNAMEs with Dangling Records. Read dangling CNAMEs and subdomain security guide.
WHOIS privacy
Reduce attacker recon on your admin contacts. Complements technical controls — does not replace them.
Public WHOIS data feeds spear-phishing: names, phones, and roles. Redaction slows down attackers who script reconnaissance — buy time for your users to report suspicious mail.
Building a brand protection checklist
Monthly: DMARC reports review, typosquat scan, dangling DNS scan, registrar lock/expiry check. Quarterly: tabletop phishing exercise. Tie tools together at domainpreflight.dev.
Executive dashboards: spoof volume down, lookalike domains registered by you vs unknowns, dangling records at zero. When any metric regresses, assign an owner and a due date — brand defence rots without accountability.
Legal may ask for defensive registrations — finance may push back. Frame cost as incident prevention: one successful phishing campaign exceeds decades of typo domains. Cite typosquat incidents when building the business case.
Technical minimum: DMARC to reject, subdomain hygiene, and continuous typosquat monitoring — three controls, mostly process.
Tool: Run DNS Preflight, Typosquat Monitor, and Dangling Records from one hub.
Step by step
FAQ
How do I stop attackers from spoofing my domain?
Set DMARC to p=reject with proper SPF and DKIM alignment. This blocks spoofed emails from reaching inboxes.
How do I find domains impersonating my brand?
Run DomainPreflight Typosquat Monitor — checks 30-50 lookalike variants via live DNS.
Should I register lookalike domains defensively?
For high-risk variants — yes. Homoglyphs and common TLD swaps are worth the $10-15/year registration cost.
How do I prevent subdomain takeover?
Run Dangling Records regularly. Delete DNS records when decommissioning services. Never leave CNAMEs pointing to deleted services.
What is the minimum brand protection setup?
DMARC p=reject, regular typosquat monitoring, and periodic dangling record scans — all three are free with DomainPreflight.