Can we stop spoofing on unregistered organisation-level TLDs?
As the digital landscape evolves, so does the sophistication of cyber threats. One emerging area of concern is the rise of branded top-level domains (TLDs) like .google , .microsoft , or .mimecast . While these offer incredible branding opportunities, they also introduce a unique challenge: How can organisations secure their TLD namespace from spoofing attacks? Traditionally, DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been a cornerstone for email authentication, protecting domains from unauthorised use. However, DMARC is designed to operate at the organisation-level domain (TLD+1, e.g., example.com ) and its subdomains. This raises a critical question: How do we secure the parent TLD itself (e.g., .google ) and its organisation-level domains ( example.google ) from spoofing? The Problem: Lack of Inheritance (for good reason) from TLDs DMARC records do not propagate from a TLD to its organisation-level domains. For example, if .google implements a p=...
