unknown/unwanted domain or subdomain

Q: Why do I see an unknown (or maybe just 'unwanted') domain in Domain Overview, where did it come from?

A: Domains can be added to the list in two ways: either manually or because they were seen in a DMARC RUA file sent to your account at dmarcian.

1. Use the column management in Domain Overview to add 2 extra columns to investigate: "Added on" and "Origin". The first will let you know when the domain was added to the system, and the latter helps you to understand how it arrived there.
2. The 'Origin' will either indicate 'N/A', 'Manually added', or 'Added from DMARC report'. In the latter case there is a link to the particular file which arrived at your account with this domain.
   1. If the listing is 'N/A', that entry predates our tracking of this particular data (began in 2021).
   2. 'Manually added' means that someone used the 'Add domains' functionality on the Domain Overview.
   3. 'Added from DMARC report': dmarcian will import any correct RUA which is sent to your reporting address. Seeing a domain that you do not recognize (or did not realize is sending email) is usually explained away by recognizing that someone else in your organization added DMARC reporting on a domain which you didn't know was in your catalog. In some rare cases this can be data that a malfunctioning reporter will send for an unrelated domain to your reporting address. In other cases it may be that someone setting up a new record copied your DMARC entry as an example and neglected to update the token to their own address. Both of these instances are very infrequent and you can use the domain deletion functionality to easily remove the entry from your listing. It is rare that such an entry returns; in such instances feel free to ask us for next steps.

Q: Why do I see an unknown subdomain which I know we don't use?

A: As with the base domain, these entries can be added automatically or manually. Most of the above guidance applies for this scenario as well, although our feedback about erroneous reporting instances is not true for subdomains.

In the case of subdomains which you do not recognize, there are a couple different possibilities.

Sometimes the entry is for a subdomain which is actually in legitimate use. You'll probably be able to identify this with some investigation in your operations.

Occasionally you'll see a subdomain entry come up because some system used its name in the From header of messages emanating from it - these might be some sort of reports sent by that host.

More commonly the subdomain you don't recognize is an entry which came up due to fraudulent usage: any subdomain usage seen in From headers is reported via DMARC. So if you do not use that subdomain, the logical conclusion is that it was attempted to be used illegitimately. The fact that you are seeing this entry indicates that it was used. If you do not already have DMARC policy enforcement for your domains this could be a sign that you should work toward that goal. You cannot prevent fraudulent attempts, but correct use of DMARC with policy enforcement can severely limit the likelihood that criminals will be successful.