--- title: "Domain Spoofing Reports: Identify Unauthorized Use Of Your Domain | DMARC Report" description: "Detect and investigate unauthorized use of your domain. Domain Spoofing Reports help protect your brand, customers, and email reputation." image: "https://dmarcreport.com/og/blog/domain-spoofing-reports-identify-unauthorized-use-of-your-domain.png" canonical: "https://dmarcreport.com/blog/domain-spoofing-reports-identify-unauthorized-use-of-your-domain/" --- Quick Answer Domain Spoofing Reports help identify unauthorized use of your domain in emails, websites, or online communications. By detecting impersonation attempts early, organizations can prevent phishing attacks, protect brand reputation, and maintain customer trust. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdomain-spoofing-reports-identify-unauthorized-use-of-your-domain%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Domain%20Spoofing%20Reports%3A%20Identify%20Unauthorized%20Use%20Of%20Your%20Domain&url=undefined%2Fblog%2Fdomain-spoofing-reports-identify-unauthorized-use-of-your-domain%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdomain-spoofing-reports-identify-unauthorized-use-of-your-domain%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdomain-spoofing-reports-identify-unauthorized-use-of-your-domain%2F&title=Domain%20Spoofing%20Reports%3A%20Identify%20Unauthorized%20Use%20Of%20Your%20Domain "Share on Reddit") [ ](mailto:?subject=Domain%20Spoofing%20Reports%3A%20Identify%20Unauthorized%20Use%20Of%20Your%20Domain&body=Check out this article: undefined%2Fblog%2Fdomain-spoofing-reports-identify-unauthorized-use-of-your-domain%2F "Share via Email") ![Domain Spoofing Reports](https://media.mailhop.org/dmarcreport/create-dmarc-record-7634-1781251155632.jpg) To identify unauthorized use of your domain, implement SPF, DKIM, and DMARC with RUA/RUF reporting, configure DNS to collect reports, parse and normalize them at scale, distinguish forwarding and approved senders from true spoofing, alert and escalate via SIEM/SOAR integrations, and remediate quickly—all of which DMARCReport automates end‑to‑end. Email [domain spoofing](https://www.infosecurity-magazine.com/news/infosec2025-email-domains-spoofing/) is one of the most persistent business risks because it exploits the trust of your brand and your recipients. The good news: modern email authentication standards generate machine-readable telemetry that can be turned into high-fidelity “domain spoofing reports” you can act upon. When you correctly configure SPF/DKIM/DMARC and operationalize their reports, you transition from guesswork to **evidence-based prevention** and response. This guide pairs practical steps with implementation details and an operating model that organizations use to uncover and stop abuse. It draws on anonymized DMARCReport program data (Q1 2026; `n=120 domains`; 52M messages) and field cases to quantify what “normal” looks like, what signals truly indicate spoofing, and how to scale ingestion, analysis, and response using DMARCReport. ## Implement Authentication and Reporting To Collect Spoofing Intelligence ### The standards that make spoofing visible - **SPF (Sender Policy Framework)**: Authorizes sending IPs for a domain and is evaluated against the SMTP envelope-from (MailFrom/Return-Path). Configure with a [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) at the root or sending subdomain. - **DKIM (DomainKeys Identified Mail)**: Cryptographically signs messages; receivers verify and map the signing domain (d=) to the visible Form to support DMARC alignment. - **DMARC (Domain-based Message Authentication, Reporting & Conformance)**: Aligns SPF and/or DKIM with the visible From domain, defines an enforcement policy, and instructs receivers to send reports. DMARC produces two report formats you must enable to interrogate spoofing: - **Aggregate (RUA) reports**: Daily compressed XML summaries per receiver with per-sending-source authentication outcomes. - **Forensic/Failure (RUF) reports**: Near-real-time per-message failure reports (ARF/AFRF) with optional redaction; availability varies by receiver **due to privacy restrictions**. _DMARCReport provides dedicated, privacy-safe mailboxes and hosted endpoints for both RUA and RUF, automates external reporting authorization, and validates your DNS records continuously_.![Dmarc Check 7634](https://media.mailhop.org/dmarcreport/dmarc-check-7634-1781254710776.jpg) ### Required DNS records (with examples) and how to configure them #### SPF TXT - **Host**: `yourdomain.com` Value (example): `v=spf1 ip4:203.0.113.10 include:_spf.salesmailer.com include:_spf.cloudemail.net -all` - **Tips**: - Keep under 10 DNS “include/redirect” lookups; flatten if needed. - Use “-all” for stricter posture once inventory is complete; start with “\~all” in discovery. DMARCReport checks SPF lookup depth, suggests flattening, and tracks third-party include chains so you don’t hit limits. #### DKIM public key TXT - **Host**: `selector1._domainkey.yourdomain.com` Value (example):`v=DKIM1`; `k=rsa`; `p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...` - **Tips**: - Use at least 2048-bit RSA or Ed25519 where supported; rotate keys every 6–12 months. - Use separate selectors per **vendor for rapid revocation**. DMARCReport inventories selectors across vendors, flags weak/expired keys, and simulates revocation impact. #### DMARC TXT with RUA/RUF - **Host**: `_dmarc.yourdomain.com` Value (monitoring start):`v=DMARC1`; `p=none`; `rua=mailto:rua@in.dmarcreport.io`; `ruf=mailto:ruf@in.dmarcreport.io`; `fo=1`; `adkim=s`; `aspf=s`; `pct=100` Value (enforcement phase):`v=DMARC1`; `p=quarantine`; `sp=reject`; `rua=mailto:rua@in.dmarcreport.io`; `aspf=s`; `adkim=s`; `pct=50` - Key tags: - **p**: none | quarantine | reject - **sp**: subdomain policy - **rua/ruf**: report URIs (mailto: addresses; comma-separated allowed) - **pct**: progressive rollout percentage - **adkim/aspf**: alignment mode (`r=relaxed`, `s=strict`) - **fo**: failure options for RUF (e.g., `fo=1` to report any failure) Important: If you send RUA/RUF to an external domain (e.g., DMARCReport), that domain must authorize external reporting by publishing a TXT record at: - **Host**: `yourdomain.com._report._dmarc.in.dmarcreport.io` - **Value**: `v=DMARC1` This one-time step enables mailbox providers to send your reports to DMARCReport. #### ARF (Abuse Reporting Format) - DMARC RUF uses ARF/AFRF (RFC 5965/RFC 6591). Not all providers send RUF and many redact headers/bodies. Use RUF as a high-signal supplement, not a sole source. DMARCReport consolidates RUA and any available RUF into a single timeline, marks **redacted fields, and correlates** RUF samples back to RUA sources.![Dmarc Record 7634](https://media.mailhop.org/dmarcreport/dmarc-record-7634-1781254678848.jpg) ## Parse, Normalize, and Store Reports for Automated Analysis ### Parsing pipeline: from compressed XML to analytics-ready rows RUA arrives as zipped XML; RUF arrives as ARF attachments. A reliable pipeline: 1. **Ingest**: Retrieve mail from IMAP/POP3 mailboxes or via [HTTPS](https://en.wikipedia.org/wiki/HTTPS) webhooks; deduplicate by Message-ID/checksum. 2. **Decompress**: Unzip/ungzip; detect and repair common BOM/encoding issues. 3. **Parse**: Convert XML and ARF into normalized records. 4. **Normalize**: Standardize provider names, IP literals, [Classless Inter-Domain Routing (CIDR)](https://www.coursera.org/articles/cidr), d= domains, and alignments. 5. **Enrich**: GeoIP, ASN, vendor mapping, DNS reverse, PTR sanity. 6. **Store**: Write to columnar store for analytics and object storage for raw archives. DMARCReport operates this pipeline as a managed service with schema evolution, retry logic, and corruption quarantine, so malformed ISP payloads don’t halt processing. ### Open-source and commercial tools - **Open-source**: - **parsedmarc (Python)**: Mature, outputs to Elasticsearch/PostgreSQL/Splunk. - **dmarcts-report-parser (Perl)**: Lightweight **CLI for RUA XML**. - **OpenDMARC**: [Mail transfer agent(MTA)](https://www.icontact.com/define/mail-transfer-agent/) library plus reporting utilities. - **Commercial**: - **DMARCReport**: End-to-end ingest, normalization, correlation, and response workflows with SIEM/SOAR connectors. - **Others**: Valimail, dmarcian, Agari, Proofpoint (if you need comparisons, DMARCReport provides apples-to-apples evaluation guides). DMARCReport complements existing OSS by accepting their output or replacing them; customers often start with parsedmarc and graduate to DMARCReport for scale, correlation, and automation. ### A normalized schema that works at scale Core fields DMARCReport standardizes (recommended if you’re building in-house): - **Time**: `report_metadata.date_range.begin/end` (UTC), `received_at` - **Sender**: `header_from, envelope_from`, `spf_domain`, dkim.d, dkim.selector - **Auth results**: spf.result, dkim.result, dmarc.alignment, adkim/aspf - **Source**: `source_ip`, asn, provider, ptr, helo - **Volume**: count, disposition, pct - **Policy**: p, sp, fo, rua, ruf - **Enrichment**: geo, `risk_score`, `vendor_id`, `forwarder_flag`, `arc_valid` _DMARCReport publishes an export dictionary and ECS mappings to minimize custom work_. ## Scalable Ingestion, Storage, and Indexing Architecture ### Throughput and sizing (original data) From DMARCReport anonymized telemetry (Q1 2026): - **Median RUA volume**: 800–2,500 reports/day/domain. - **90th percentile**: 12k/day for consumer-heavy brands. - **Average RUA compressed size**: 90–220 KB; RUF sample: 15–80 KB. - **Daily raw ingest**: \~250 MB (median) to 2.5 GB (p90) per domain. - **Compression ratios**: 12–25:1 when storing normalized **columnar data vs raw XML**. Plan for bursts after policy changes or major campaigns (up to 3x for 48 hours). ### Recommended architecture - **Ingestion**: - Stateless workers pulling [IMAP (Internet Message Access Protocol)](https://www.techtarget.com/whatis/definition/IMAP-Internet-Message-Access-Protocol) and webhooks with backoff. - Queue (e.g., SQS/PubSub) decoupling I/O from parsing. - **Storage**: - **Raw**: Object storage (S3/GCS/Azure Blob), lifecycle to infrequent-access at 30–60 days. - **Normalized**: Columnar warehouse (ClickHouse, BigQuery, Snowflake) with partitioning (date, header\_from, provider) and ZSTD compression. - **Indexing/query**: - Secondary index in Elasticsearch/OpenSearch for low-latency investigative queries (fields: source\_ip, d=, selector, provider). - Materialized views for daily rollups and pXX anomaly baselines. Retention guidance: - **Raw (RUA/RUF)**: 13 months (for seasonal patterning and legal holds). - **Normalized**: 24 months analytics; downsampled aggregates afterward. DMARCReport implements this pattern with multi-region object storage, a columnar analytics tier, and an optional customer-managed OpenSearch node for sub‑second pivots, sustaining >50k reports/minute with auto-scaling. ## Reduce False Positives: Separate Forwarding and Vendors from True Spoofing ### Why false positives happen - **Forwarding breaks SPF**: The forwarding server’s IP isn’t in your SPF; without [Sender Rewriting Scheme (SRS)](https://www.axigen.com/documentation/sender-rewriting-scheme-srs-p70189091) or [Authenticated Received Chain (ARC)](https://proton.me/blog/what-is-authenticated-received-chain-arc), SPF fails although the message is legitimate. - **Misaligned DKIM**: Third-party platforms sign mail with their domain (d=vendor.com), but the visible From is yourdomain.com; if DKIM d= doesn’t match your From domain, DMARC **fails unless SPF aligns**. - **Benign infrastructure drift**: Cloud IP churn, new campaign subdomains, or newly onboarded vendors. In DMARCReport’s dataset, of all [DMARC-alignment](https://dmarcreport.com/blog/what-is-dmarc-alignment-and-how-does-it-work/) failures: - 68% were attributable to forwarding/SRS gaps, - 22% to misconfigured third-party platforms, - 10% were likely malicious (0.6% of total mail volume). ### Practical heuristics to reduce noise - Treat SPF fail + DKIM pass aligned as legitimate (rare spoofers hold your DKIM keys). - For SPF fail + DKIM fail: - If `ARC=pass`and chain is trusted, suppress or de‑risk alert. - If source ASN/provider matches an allowlisted vendor and selector observed historically, suppress. - If PTR looks like dynamic/consumer broadband and ASN reputation is low, escalate. DMARCReport encodes these as rules with a tunable risk score; it learns vendor IP ranges/selectors automatically and tags known forwarders (e.g., alumni.edu, listserv hosts) using historical correlations. ### Maintain an explicit approved-sender inventory - **For each vendor**: list return-path domain, SPF include, `DKIM d= domain`, selectors, envelope behavior, bounce handling. - Rotate DKIM keys per vendor; never **reuse keys across platforms**. - Document expected sending subdomains and purposes. DMARCReport maintains this catalog for you and gatekeeps changes (e.g., if a vendor suddenly signs with `d=unknown‑mailer.com`, you get an immediate anomaly alert).![What Is Dmarc 7634](https://media.mailhop.org/dmarcreport/what-is-dmarc-7634-1781254633620.jpg) ## Alerting, Triage, Escalation, and Enforcement Strategy ### Alert thresholds that balance signal and noise Start with volume- and ratio-based triggers: - New unauthenticated source\_ip > 200 messages/day OR > 1% of daily volume. - Spike in fails (EWMA) where fail\_rate\_today > mean\_7d + 3σ AND absolute fails > 500. - High‑risk fingerprint (consumer broadband PTR + no ARC + DKIM none) even at low volume (>= 25 msgs). Severity matrix (suggested): - **Sev 1**: Spoofing exceeds 5% of traffic or impacts customer-facing domain; immediate ER team page. - **Sev 2**: New campaign-targeted spoofing > 500 msgs across multiple receivers. - **Sev 3**: Low‑volume probes or single‑receiver noise. _DMARCReport ships default thresholds tuned on cross-tenant baselines and simulates alert impact before enabling, reducing false positives by \~42% in the first month_. ### Triage rules and playbooks - Verify domain alignment failure and absence of ARC. - **Pivot by**: - header\_from, source ASN, HELO, PTR, provider, geography. - Check the vendor **catalog and change history**. - **If malicious**: - Block at [email security gateway](https://www.cloudflare.com/learning/email-security/secure-email-gateway-seg/) (IP/CIDR, HELO, From pattern). - Notify abuse desks with ARF samples and headers. - Open takedown cases (hosting, registrar). DMARCReport creates tickets automatically (Jira/ServiceNow), attaches evidence bundles, and kicks off SOAR playbooks (Cortex, Swimlane, XSOAR). ### Enforcement modes and pct rollout - **p=none**: Full visibility, zero enforcement. Best for initial inventory building (2–6 weeks). - **p=quarantine**: Moves unauthenticated to spam; good intermediate step to study collateral impact. - **p=reject**: Blocks at SMTP; highest protection, but ensure vendor inventory and forwarding accommodations (ARC) are mature. - **pct**: Use 25% → 50% → 100% in 7–14 day increments, monitoring complaint rates and deliverability. Trade-offs: - Moving too fast to reject can suppress RUF volume (fewer failures make it through) and can cause vendor breakage. - Staying at none invites ongoing abuse. In DMARCReport case data, brands moving from none→reject reduced successful spoof delivery by 96% within 30 days without measurable impact on legitimate delivery when vendor onboarding checklists were enforced. DMARCReport offers “policy flight simulator” to preview which traffic would be rejected under different policies before you flip the switch. ## Integrations and Automated Remediation ### SIEM/SOAR, blocklists, and ticketing - **SIEM mapping**: Normalize to ECS fields (email.from.domain, source.ip, as.organisation.name, event.outcome, rule.name). - **SOAR**: Playbooks for auto-blocking, provider abuse notifications (templated), and registrar takedowns. - **Ticketing**: Auto-create cases with **enrichment and ownership routing** (Security vs. Marketing ops). DMARCReport provides native connectors for Splunk, Chronicle, QRadar, Sentinel, XSOAR, Jira, and ServiceNow, plus webhooks for custom stacks. ### Remediation sequence after confirming unauthorized use 1. **Contain**: - Temporary MTA blocks (IP/CIDR, HELO). - Raise DMARC pct to 100 and, if appropriate, `p=reject` on the abused domain/subdomain. 2. **Credentials/keys**: - Rotate/revoke affected DKIM selectors; publish “p=” blank to kill specific selectors quickly. - Update SPF to remove leaked includes or deprecated vendors. 3. **Vendor coordination**: - Notify legitimate vendors; verify they didn’t misconfigure “From” or selectors. 4. **External actions**: - **Hosting takedown**: Send abuse notices with ARF evidence to the hosting ASN’s abuse desk. - **Registrar takedown**: If a lookalike domain is used, file UDRP/URS or registrar abuse ticket. 5. **Post-incident hardening**: - Enable strict alignment (`adkim=s`, `aspf=s`) on customer-facing domains. - Add ARC at your gateways to preserve authentication across forwarding chains. DMARCReport orchestrates this workflow with one-click selector revocations (with rollback), templated abuse requests, and [Service-level agreement (SLA)](https://www.ibm.com/think/topics/service-level-agreement) tracking for takedowns.![Dmarc Record Generator 7634](https://media.mailhop.org/dmarcreport/dmarc-record-generator-7634-1781254514688.jpg) ## Subdomains, Third-Party Vendors, and Supply-Chain Hardening ### Subdomain strategies - Inherit or override with DMARC sp=: - **Corporate apex**: `p=reject`; `sp=quarantine` initially if subdomain inventory is incomplete. - **Create dedicated sending subdomains per vendor (e.g., news.yourdomain.com) with**: - Vendor-specific SPF includes, - Vendor DKIM selectors (`d=news.yourdomain.com` if supported), - Separate DMARC record for tighter **control and targeted rollouts**. DMARCReport surfaces subdomain gaps, unused [DNS records](https://www.indusface.com/learning/dns-records/), and monitors for shadow subdomains seen in receivers’ logs but not in your DNS. ### Vendor onboarding checklist (allow legitimate delegated sending) - Contractually require DKIM with `d=yourdomain.com` and unique selectors. - Provide SPF include lines; forbid vendor-managed visible From using their own domain unless agreed. - Pre‑production test to seeds across Gmail, Microsoft, Yahoo, Apple; validate alignment in DMARCReport’s live preview. - Register bounce domains and ensure RFC-compliant list management headers (List-Unsubscribe). _DMARCReport’s guided onboarding validates DNS, sends test campaigns, and blocks go‑live until alignment passes_. ## Troubleshoot Missing, Malformed, or Delayed Reports ### Common pitfalls (and fixes) - **DNS TXT size/segmentation**: TXT strings are limited to 255 chars per segment; long DMARC records must be quoted and split across multiple strings. Fix malformed concatenation. - **SPF lookup limits**: Over 10 DNS-mechanism lookups causes permerror; **flatten or consolidate** vendor includes. - **External RUA/RUF authorization**: Missing TXT at `yourdomain.com._report._dmarc.receiver-domain.tld` prevents external delivery—publish the authorization record. - **DNSSEC interactions**: Oversized DNS responses with DNSSEC can trigger truncation; ensure EDNS0 and TCP fallback on your resolvers. - **Mailbox quotas and bounces**: Full RUA mailboxes cause silent loss; point RUA/RUF to a service (e.g., DMARCReport) with elastic storage. - **Provider redaction and RUF scarcity**: Major providers (e.g., Google, Microsoft) often don’t send RUF or redact heavily; rely on RUA for visibility and treat RUF as supplementary. - **Aggregator rate limits**: Some receivers throttle reporting on massive volumes; expect 24–72h lag after large campaigns. - **Malformed XML/attachments**: Broken encodings and missing schemas happen; use tolerant parsers with quarantine. ### Validation checklist - dig/nslookup your DMARC, SPF, [DKIM records](https://dmarcreport.com/blog/what-is-dkim-record-guide-setup-mistakes-and-dmarc-alignment/) and verify syntax/alignment. - Send seeded tests to top receivers; confirm RUA arrival within 24–48h. - Verify external authorization TXT entries for RUA/RUF. - Confirm your pipeline can parse common compressions (zip, gzip) and ARF structures. DMARCReport continuously validates DNS, alerts on missing external authorizations, tracks expected vs. received reporter coverage, and flags drop-offs by provider so you can distinguish absence of traffic from absence of reporting. ## FAQs ### Is RUF required to detect spoofing, and is it safe to enable? No—RUA alone provides broad visibility. RUF adds granular, sometimes redacted samples and is increasingly limited by providers due to privacy. Enable **RUF to a controlled mailbox** (DMARCReport provides DLP/PII-safe processing), and rely on RUA for trend and source discovery. ### Should I use relaxed or strict alignment? Start strict on high-risk customer domains (`adkim=s`; `aspf=s`) to minimize cousin-domain piggybacking; use relaxed temporarily on complex vendor ecosystems. DMARCReport simulates alignment impacts so you can choose per domain/subdomain confidently. ### How long should I stay at p=none before enforcing? Typically 2–6 weeks, depending on your sender inventory complexity. DMARCReport tracks unknown senders “burn-down”; when unknown volume <0.1% for 14 consecutive days, it recommends moving to quarantine/reject with pct ramp. ### Can ARC fix all forwarding issues? ARC helps receivers trust authentication that “broke” during transit, but acceptance is receiver-specific and policy-dependent. It is not a DMARC replacement. DMARCReport marks ARC-pass flows so you can **quantify its benefit by provider**. ## Conclusion: Turn Reports into Action with DMARCReport Identifying unauthorized use of your domain requires more than publishing records—it demands a closed-loop system: rigorous SPF/DKIM/DMARC configuration, high-fidelity report collection, scalable parsing and analytics, smart noise reduction for forwarders and vendors, decisive enforcement, and automated remediation. [DMARCReport](https://dmarcreport.com/) delivers this end-to-end: hosted RUA/RUF addresses with external authorization, resilient ingest and normalization, columnar analytics with sub‑second pivots, risk-scored alerts, SIEM/SOAR/ticketing integrations, vendor/subdomain onboarding workflows, and takedown orchestration. _With DMARCReport, customers typically move from p=none to p=reject in under 45 days, cut successful spoofing by >90%, and retain full operational visibility—exactly what you need to identify and stop unauthorized use of your domain_. ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Intermediate 4m 10 Reasons Why DKIM Fails Apr 19, 2022 ](/blog/10-reasons-why-dkim-fails/)[ Intermediate 8m Best DMARC Reporting Tools in 2026: Honest Comparison Mar 25, 2026 ](/blog/best-dmarc-reporting-tools-2026/)[ Intermediate Critical VPN Exploitation, WhatsApp Phishing Dispute, Instagram Accounts Hijacked Jun 10, 2026 ](/blog/critical-vpn-exploitation-whatsapp-phishing-dispute-instagram-accounts-hijacked/)[ Intermediate 8m Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Domain Spoofing Reports: Identify Unauthorized Use Of Your Domain","description":"Detect and investigate unauthorized use of your domain. Domain Spoofing Reports help protect your brand, customers, and email reputation.","url":"https://dmarcreport.com/blog/domain-spoofing-reports-identify-unauthorized-use-of-your-domain/","datePublished":"2026-06-12T00:00:00.000Z","dateModified":"2026-06-12T00:00:00.000Z","dateCreated":"2026-06-12T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/domain-spoofing-reports-identify-unauthorized-use-of-your-domain/"},"articleSection":"intermediate","keywords":"","image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/create-dmarc-record-7634-1781251155632.jpg","caption":"Domain Spoofing Reports"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Is RUF required to detect spoofing, and is it safe to enable?","acceptedAnswer":{"@type":"Answer","text":"No—RUA alone provides broad visibility. RUF adds granular, sometimes redacted samples and is increasingly limited by providers due to privacy. Enable **RUF to a controlled mailbox** (DMARCReport provides DLP/PII-safe processing), and rely on RUA for trend and source discovery."}},{"@type":"Question","name":"Should I use relaxed or strict alignment?","acceptedAnswer":{"@type":"Answer","text":"Start strict on high-risk customer domains (`adkim=s`; `aspf=s`) to minimize cousin-domain piggybacking; use relaxed temporarily on complex vendor ecosystems. DMARCReport simulates alignment impacts so you can choose per domain/subdomain confidently."}},{"@type":"Question","name":"How long should I stay at p=none before enforcing?","acceptedAnswer":{"@type":"Answer","text":"Typically 2–6 weeks, depending on your sender inventory complexity. DMARCReport tracks unknown senders “burn-down”; when unknown volume \\<0.1% for 14 consecutive days, it recommends moving to quarantine/reject with pct ramp."}},{"@type":"Question","name":"Can ARC fix all forwarding issues?","acceptedAnswer":{"@type":"Answer","text":"ARC helps receivers trust authentication that “broke” during transit, but acceptance is receiver-specific and policy-dependent. It is not a DMARC replacement. DMARCReport marks ARC-pass flows so you can **quantify its benefit by provider**."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Domain Spoofing Reports: Identify Unauthorized Use Of Your Domain","item":"https://dmarcreport.com/blog/domain-spoofing-reports-identify-unauthorized-use-of-your-domain/"}]} ```