TR-92 - Unused Domain Names and the Risks of Missing DNS SPF Records

TR-92 - Unused Domain Names and the Risks of Missing DNS SPF Records

Back to Publications and Presentations

  1. Executive Summary
  2. Problem Statement
  3. Understanding SPF Records
  4. Recommendations
  5. References
  6. Conclusion
  7. Classification of this document
  8. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Executive Summary

Many organizations maintain a broad portfolio of domain names, acquired for branding, strategic planning, or defensive purposes. However, a significant portion of these domains often remains unused or lacks proper DNS configurations, leaving them vulnerable to exploitation. One particularly critical oversight is the absence of DNS SPF (Sender Policy Framework) TXT records, which are essential to controlling the sources from which emails for a domain can be legitimately sent. This document highlights the risks associated with improperly configured domains and provides actionable recommendations to mitigate such vulnerabilities.

Unused domains can refer to domains registered by an organization but not actively used. They can also include domains that are utilized for other services, such as HTTP/web services, without the need to send emails.

Problem Statement

Attackers frequently exploit domains without SPF records or other DNS-based email authentication mechanisms. These misconfigured or dormant domains can become avenues for phishing, spamming, or distributing malware under the guise of legitimate organizational communication. Recipients, seeing a recognizable domain, may trust the malicious email, leading to financial losses, reputational damage, and compromised security for both the recipient and the originating organization.

Recent Examples

In recent incidents, attackers have exploited unused or poorly configured domains belonging to various organizations. Common scenarios include:

  1. Sending phishing emails that appear to originate from legitimate-looking email addresses tied to the organization.
  2. Targeting partners, suppliers, or customers with malicious links or fraudulent invoices.
  3. Compromising recipients’ systems by leveraging the trust associated with the recognizable domain name.

These examples demonstrate the importance of ensuring that all domains in an organization’s portfolio are properly secured and configured, regardless of their current usage status.

Understanding SPF Records

SPF records are a type of DNS TXT record that specifies which mail servers are authorized to send emails on behalf of a domain. For example, the following SPF record:

v=spf1 include:mail.example.com -all

  • v=spf1: Indicates the SPF version being used.
  • include:mail.example.com: Specifies the authorized mail server(s).
  • -all: Indicates that all other servers are unauthorized.

If a domain lacks an SPF record, any mail server can claim to send emails on its behalf, making it susceptible to spoofing.

Recommendations

To safeguard your organization’s domain portfolio and reduce the risk of abuse, follow these best practices:

  1. Inventory All Domains

    • Maintain an updated inventory of all domains owned by the organization, including inactive and defensive registrations.

  2. Implement SPF Records

    • Configure SPF records for all domains, even those not actively in use.
    • Example for a domain with no legitimate email traffic: v=spf1 -all This record explicitly denies any mail servers from sending emails on behalf of the domain.

  3. Extend Protections with DKIM and DMARC

    • Use DKIM (DomainKeys Identified Mail) to sign emails, ensuring their integrity.
    • Implement DMARC (Domain-based Message Authentication, Reporting, and Conformance) to provide instructions on handling authentication failures. Example DMARC policy: v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com

  4. Monitor DNS Configurations

    • Regularly audit DNS records for accuracy and completeness.
    • Utilize tools or managed services to detect and mitigate unauthorized use of domains.

  5. Educate Stakeholders

    • Raise awareness among IT staff and decision-makers about the importance of securing all domains.
    • Include DNS management in your organization’s cybersecurity training and policies.

References

  • RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. Available here
  • RFC 6376: DomainKeys Identified Mail (DKIM) Signatures. Available here
  • RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC). Available here

Conclusion

Unused or misconfigured domains represent a significant security risk for organizations. By proactively managing your domain portfolio and implementing robust email authentication mechanisms like SPF, DKIM, and DMARC, you can prevent attackers from exploiting your domains and protect your organization’s reputation and stakeholders. Addressing these issues is not just a technical necessity but a critical component of responsible cybersecurity management.

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:CLEAR - Updated version to clarify the meaning of unused domains - 23rd January 2025
  • Version 1.0 - TLP:CLEAR - First version - 21st January 2025