Can we stop spoofing on unregistered organisation-level TLDs?

As the digital landscape evolves, so does the sophistication of cyber threats. One emerging area of concern is the rise of branded top-level domains (TLDs) like .google, .microsoft, or .mimecast. While these offer incredible branding opportunities, they also introduce a unique challenge: How can organisations secure their TLD namespace from spoofing attacks?

Traditionally, DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been a cornerstone for email authentication, protecting domains from unauthorised use. However, DMARC is designed to operate at the organisation-level domain (TLD+1, e.g., example.com) and its subdomains. This raises a critical question: How do we secure the parent TLD itself (e.g., .google) and its organisation-level domains (example.google) from spoofing?

The Problem: Lack of Inheritance (for good reason) from TLDs

DMARC records do not propagate from a TLD to its organisation-level domains. For example, if .google implements a p=reject policy at _dmarc.google, this policy will not apply to example.google. Each organisation-level domain requires explicit configuration for DMARC, SPF, and DKIM.

This creates a management challenge for companies owning branded TLDs, especially when handling:

• A growing number of subdomains or organisation-level domains.
• Potential misconfigurations leading to gaps in security.
• Attackers exploiting poorly configured or neglected domains under the TLD.

Real-World Example: Trusted TLDs Like .gov

Some TLDs, like .gov, are widely recognised as trusted namespaces due to strict regulations and oversight and even had mandates in place for DMARC adoption. However, even these are not immune to spoofing attempts. For instance, threat actors have recently been observed using variations like au.gov (a deceptive lookalike of the Australian government’s namespace gov.au) to carry out phishing attacks. This highlights the importance of strict controls and proactive monitoring, even for namespaces carrying inherent trust.

What Can Organisations Do Today?

1. Explicit DMARC Policies: Require a _dmarc record for every organisation-level domain. While this is effective, it is operationally intensive.
2. Wildcard SPF Records: Configure wildcard SPF records (e.g., *.google IN TXT "v=spf1 -all") to deny unauthorised email from undefined subdomains. However, SPF alone is insufficient without DMARC and DKIM.
3. Centralised Management: Use automation tools like Terraform or DMARC management platforms to enforce consistent policies across domains.
4. Education and Awareness: Communicate to stakeholders and customers which domains are legitimate email senders.

The Bigger Question: What Should the Industry Do?

As branded TLDs become more common, the industry needs a scalable, standardised approach to securing them. Here are some thought-provoking ideas:

1. Enhancing the DMARC Specification: Should DMARC evolve to support inheritance from the TLD to organisation-level domains? For instance, a p=reject policy at _dmarc.google could automatically apply to all subdomains unless overridden.

2. ICANN Policy Updates: Should ICANN mandate stricter email authentication requirements for branded TLD owners? For example, requiring a "no-email" policy by default unless explicitly enabled.

3. DNS Protocol Innovations: Could DNS introduce new record types or protocols specifically for TLD security? This might include wildcard-like behaviour for DMARC or new mechanisms to define namespace-wide policies.

4. Industry Collaboration: Should organisations owning branded TLDs collaborate to establish best practices and advocate for shared solutions? Imagine a working group for TLD owners focused on this challenge.

Call to Action

As cyber threats grow, it’s vital for the industry to get ahead of potential exploitation. If you’re an IT leader, cybersecurity professional, or DNS expert, I'm interested in your insights:

• How do you see this challenge evolving?
• What solutions or innovations could address it effectively?
• Should the industry rethink email authentication standards to adapt to the rise of branded TLDs?