It is easy to overlook parked domains (also referred to as inactive domains) when it comes to email security. After all, these domains are typically inactive and in some cases not even configured to send email. However, they shouldn’t be overlooked. Failure to take proper precautions protecting inactive domains provides unique opportunities for third parties to abuse them.
What are parked domains?
For the purposes where dmarcian is involved, a parked domain is a domain that isn’t actively in use for sending email. It is also referred to as an inactive domain, and there are a variety of reasons for them, for example:
- A domain or subdomain that is used exclusively to contain something specific, like a website, and has no email services enabled.
- A defensively registered domain that protects against a look-alike domain, sometimes referred to as a cousin domain. An example would be for the domain exampledomain.com to have a cousin domain of exampiedomain.com because it is visually similar and could cause confusion.
- A domain which became part of the current organization by acquisition.
- A domain which was in use in the past, for any purpose, but no longer used.
How are they exploited?
Because these domains aren’t actively sending email, they are easy to overlook when it comes to setting up email authentication. However, because these domains may be similar to a well-known domain and the fact that they don’t have an assessed reputation make them ideal domains to spoof for phishing attempts.
Additionally, if an email domain of a business or organization has strong domain security measures in place, this may prompt cyber criminals who focus on social-engineering efforts such as Business Email Compromise (BEC) and spear phishing to turn their efforts to inactive domains to exploit. The FBI estimates that between 2013 and 2019, BEC has cost businesses and organizations more than $26 billion in the US alone.
Protect your parked domains first.
Part of deploying domain security measures such as DMARC requires identifying valid domains so that valid email traffic isn’t interrupted. It makes sense to protect your parked domains first, because they are non-email sending; they are easier to deal with, and once they are initially protected they don’t require maintenance.
If you are using dmarcian to manage your domain security, and you are a Plus or Enterprise user, a suggested approach is to use domain groups to manage your parked domains. You can place them in a dedicated inactive domain group and publish a DMARC p=reject policy and an SPF record of v=spf1 -all record for every such domain.
Larger organizations, such as businesses who have inherited a large catalog of domains and subdomains via mergers and acquisitions, for example, can benefit through deployment services that can help make sense and provide guidance in getting domains managed and secured.