---
title: "How do cybercriminals use neglected domains to evade SPF and DMARC protections? | AutoSPF"
description: "Cybersecurity experts are lately highlighting the degree to which threat actors have gone in abusing security protocols."
image: "https://autospf.com/og/blog/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection.png"
canonical: "https://autospf.com/blog/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection/"
---

Quick Answer

Cybersecurity experts are lately highlighting the degree to which threat actors have gone in abusing security protocols. They are devising newer, sophisticated techniques to bypass the protective layers to spoof sender email addresses to launch targeted malspam campaigns. On one side, the adoption of SPF, DKIM, and DMARC is on the rise, especially after Google, Yahoo, Microsoft, and several compliance.

How do cybercriminals use neglected domains to evade SPF and DMARC protections?

Your browser does not support the audio element.

[ Download episode](/audio/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection.mp3) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20do%20cybercriminals%20use%20neglected%20domains%20to%20evade%20SPF%20and%20DMARC%20protections%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fhow-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection%2F&title=How%20do%20cybercriminals%20use%20neglected%20domains%20to%20evade%20SPF%20and%20DMARC%20protections%3F "Share on Reddit") [ ](mailto:?subject=How%20do%20cybercriminals%20use%20neglected%20domains%20to%20evade%20SPF%20and%20DMARC%20protections%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fhow-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection%2F "Share via Email") 

![SPF and DMARC](https://media.mailhop.org/autospf/images/2025/07/spf-checker-4117.jpg) 

[Cybersecurity](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/) experts are lately highlighting the degree to which [threat actors](https://www.nbcnews.com/tech/security/us-treasury-says-computers-hacked-chinese-threat-actor-rcna185809) have gone in abusing security protocols. They are devising newer, sophisticated techniques to bypass the protective layers to spoof sender email addresses to launch targeted [malspam campaigns](https://thehackernews.com/2025/01/neglected-domains-used-in-malspam-to.html). 

_DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users._

For a complete overview, see our [comprehensive DMARC guide](/blog/what-is-dmarc-email-authentication-guide/).

On one side, the adoption of [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/), DKIM, and DMARC is on the rise, especially after Google, Yahoo, Microsoft, and several compliance bodies have made these protocols mandatory. However, on the other side, bad actors are exploiting old, neglected domains that do have SPF and DMARC to bypass security checks that rely on [domain age](https://rankmath.com/seo-glossary/domain-age/) to assess spam potential. 

![email security
](https://media.mailhop.org/autospf/images/2025/07/spf-record-syntax-4678.jpg)

## How abandoned domains bypass email security?

[Muddling Meerkat](https://thehackernews.com/2024/04/china-linked-muddling-meerkat-hijacks.html) and other cyberactor groups are abusing old, [top-level domains](https://www.concretecms.com/about/blog/devops/understanding-tlds-what-they-are-and-why-they-matter) that have not been hosting any content for almost two decades. The reason why these domains are being targeted is that they lack most [DNS records](https://www.cloudflare.com/learning/dns/dns-records/), including SPF and DMARC records. These domains are also short and in reputable TLDs.

_There is another campaign, active since December 2022, that sends bulk emails with QR codes attached._ Scanning the [QR code](http://en.wikipedia.org/wiki/QR%5Fcode) redirects victims to a phishing website where they are requested to enter their identification and card details, and then inadvertently make a payment to the threat actor’s account. 

![ QR code](https://media.mailhop.org/autospf/images/2025/07/spf-record-office-365-4567.jpg) 

These kinds of [cyberattacks](https://www.usatoday.com/story/news/nation/2025/07/29/st-paul-cyber-attack-minnesota/85430911007/) are not just aimed at smaller companies, but also popular brands like Amazon, Mastercard, and SMBC to essentially redirect victims to faux login pages using [traffic distribution systems (TDSes)](https://www.darkreading.com/cyberattacks-data-breaches/why-hard-stop-rising-malicious-tds-traffic). All this is done to steal credentials or sensitive data.

An [automatic SPF flattening tool](/) helps prevent email delivery issues by simplifying SPF records, reducing [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work), and limiting the ability of malicious domains to bypass [email security](/blog/what-is-spf-alignment-understanding-email-security-protocols/).

## Domain abuse is getting cheaper and easier

_Cyber actors can now abuse generic top-level domains like .xyz, .click, or .top for as little as a few dollars._ These cheap domains are like their new playground to launch sophisticated [phishing campaigns](https://hackread.com/ongoing-phishing-campaign-targets-employees/), spin up lookalike websites, or send [spoofed emails](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/), without a big team and budget. 

![ spoofed emails
](https://media.mailhop.org/autospf/images/2025/07/spf-record-example-1397.jpg)

Now add to that tools like [PhishWP,](https://www.infosecurity-magazine.com/news/phishwp-plugin-enables-payment/) a [malicious WordPress](https://www.msn.com/en-us/news/technology/wordpress-users-beware-this-popular-plugin-has-been-hijacked-to-push-potential-malware/ar-AA1IzWJH) plugin that lets attackers create fake payment pages. These pages look almost identical to real checkout pages, but they are designed to steal card details from users.

And where does all the [stolen data](https://www.bbc.com/news/articles/cd6nyng861wo) go? These days, attackers are using Telegram as their drop-off point. Instead of setting up complex servers or infrastructure, they simply use Telegram channels or bots to collect sensitive data like [login credentials](https://hackread.com/hackers-fake-microsoft-adfs-login-pages-steal-credentials/) and payment information. It’s fast, encrypted, and hard to trace.

![stolen data
](https://media.mailhop.org/autospf/images/2025/07/spf-record-tester-7992.jpg)

_Put everything together - cheap domains, plug-and-play scam tools, and secure places to receive stolen data - and phishing has become easier and cheaper to carry out than ever before._

## How can domain owners and organizations prevent domain abuse?

As cyber threats get smarter and rules get tighter, setting up DMARC is no longer optional. It’s the starting point if you want your emails to be trusted, delivered properly, and protected from abuse. Here’s why it matters:

![prevent domain abuse
](https://media.mailhop.org/autospf/images/2025/07/spf-flattening-2299.jpg)

- DMARC, along with SPF and [DKIM](/blog/how-dkim-works-a-comprehensive-guide-to-email-authentication/), has become a must-have in many global security and compliance standards.
- Big names like Google, Yahoo, Microsoft, and Apple now expect bulk email senders to use proper email authentication.
- If your domain isn’t protected with DMARC, you risk financial loss, brand damage, security threats, and even compliance issues.
- With AI-powered phishing attacks rising fast, having DMARC in place gives you an extra layer of defense.
- Even though regulations like [PCI DSS 4.0](https://www.aciworldwide.com/pci-dss-v4) and DORA don’t specifically ask for [DMARC](https://dmarcreport.com/what-is-dmarc/), using it helps you stay on the right track with their security goals.

Talk to our team to get started with [email authentication](/blog/role-relevance-of-dns-spf-records-for-email-authentication/) protocols so that you comply with regulations and stay shielded from domain abuses.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF Flattening ](/tags/spf-flattening/)[ SPF Flattening tool ](/tags/spf-flattening-tool/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Advanced 6m  Does SPF play a significant role in BIMI and VMC?  Apr 30, 2025 ](/blog/does-spf-play-a-significant-role-in-bimi-and-vmc/)[  Advanced 30m  Best SPF Management Tools for MSPs in 2026 A Buyer’s Guide  Apr 27, 2026 ](/blog/best-spf-management-tools-for-msps-in-2026-buyers-guide/)[  Advanced 8m  New Update: DMARC to be Mandatory for PCI DSS Compliance by 2025  May 7, 2024 ](/blog/dmarc-mandatory-for-pci-dss-by-2025/)[  Advanced 17m  Email Authentication and Cyber Insurance: How Underwriters Are Pricing DMARC in 2026 Why Your Authentication Posture Is Now a Line Item on Your Insurance Application  May 8, 2026 ](/blog/email-authentication-cyber-insurance-dmarc-pricing-underwriters-2026-insurance-applications/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How do cybercriminals use neglected domains to evade SPF and DMARC protections?","description":"Cybersecurity experts are lately highlighting the degree to which threat actors have gone in abusing security protocols.","url":"https://autospf.com/blog/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection/","datePublished":"2025-07-30T15:44:39.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-07-30T15:44:39.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection/"},"articleSection":"advanced","keywords":"DKIM, DMARC, email security, SPF, SPF Flattening, SPF Flattening tool, SPF record","wordCount":669,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/07/spf-checker-4117.jpg","caption":"SPF and DMARC","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Advanced","item":"https://autospf.com/advanced/"},{"@type":"ListItem","position":4,"name":"How do cybercriminals use neglected domains to evade SPF and DMARC protections?","item":"https://autospf.com/blog/how-cybercriminals-use-neglected-domains-evade-spf-dmarc-protection/"}]}
```