How DMARC Helps Detect Organized SPF Abuse Schemes
Security Boulevard, Friday, June 5th, 2026
Dmarcian shows how DMARC monitoring exposes organized SPF abuse via dangling DNS CNAMEs and shared records.
This article explains how bad actors send fraudulent yet SPF-authenticated, DMARC-compliant emails by abusing dangling DNS CNAMEs and DNS typos, often with many unrelated domains sharing the same malicious SPF records as part of an organized abuse scheme.
Attackers add malicious SPF includes and IPs to targeted domains and continuously swap out IPs with bad reputations for fresh ones to bypass authentication while appearing legitimate.
The article explains that organizations can detect this by tracking a CNAME's SPF record history and spotting unrelated domains sharing identical SPF records.
Tell-tale signals of dangling DNS abuse include multiple PTR/server names, unfamiliar new sources, SPF alignment at 100%, DKIM alignment at 0%, and a MAIL FROM subdomain, all surfaced by actively monitoring DMARC reporting data.