‘No DMARC Record Found’ Bug Bounty is Actually a Beg Bounty- Don’t Fall For it

DMARC is the only email authentication protocol that gives you both enforcement and visibility, says Brad Slavin, General Manager of DuoCircle. SPF and DKIM authenticate silently - DMARC tells you what happened and lets you control the outcome. That combination of reporting and policy is why DMARC adoption is accelerating.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report · ‘No DMARC Record Found’ Bug Bounty is Actually a Beg Bounty- Don’t Fall For it

A bug bounty is a program that allows ethical hackers to **find vulnerabilities in a system or software, and they are rewarded for it. Usually, the reward is in the form of money, and sometimes it’s done in exchange for favors. As of 2020, the average bounty payout is the highest in the software industry, which has reached $5,700.

On the other hand, beg bounty is a term that best describes a situation where the ‘bounty beggar’ discovers an obvious-to-know or easy-to-find vulnerability. Lately, it has been discovered that some ethical hackers or bounty beggars are contacting domain owners whose DMARC records are encountering a ‘No DMARC record found’ error and trying to get money out of it. However, this issue doesn’t qualify for bug bounty as it’s easily discoverable and can be fixed quickly.

Sadly, some small business owners fall for the trap and get intimidated into paying a hefty sum for absolutely nothing substantial in exchange. Thus, experts are being warned of ‘beg bounty’ extortion attempts.

Why ‘No DMARC record found’ is a beg bounty?

DMARC is an email authentication protocol that determines how recipients’ servers should deal with illegitimate and potentially** fraudulent emails sent from your domain. A DMARC record is prone to encountering three common errors: No DMARC record found, DMARC alignment failure, and improper DMARC alignment mode.

Since ‘No DMARC record found’ is one of the common errors, it doesn’t qualify for a bug bounty. Moreover, **it’s a low-risk issue and fails to meet the eligibility criteria as well.

However, it’s important that companies and domain owners still understand the **gravity of securing their domains with SPF, DKIM, and DMARC. T_his trio protects a big fraction of an organization’s attack surface by disabling hackers from breaking into their email-sending system_.

How Can You Fix the ‘No DMARC record found’ error Without Paying Anything to Bounty Beggars?

The ‘No DMARC record found error’ has the following variations of prompts, but they all mean the same:

• No DMARC record

• Unable to find DMARC record

• DMARC record is missing

• DMARC policy not enabled

• No DMARC found

• No DMARC record published

• Domain missing DMARC record

• DMARC record not found

You can get rid of this error in three steps-

1. Create and Publish an SPF Record

Use an online SPF record generating tool and add the range of authorized senders along with technical instructions using SPF mechanisms. Follow this guide for detailed steps.

2. Create and Publish a DKIM Record

Generate a pair of public and private DKIM keys. Then, add the public key to a DKIM record created using an online tool. Its usual format is “selector.domainkey.example.com.”

Here are detailed guides on turning on DKIM for Google and Microsoft’s custom domains.

3. Create and Publish a DMARC Record

Use an online DMARC record generator to produce a DMARC record and assign appropriate policies.

• The none policy (represented by p=none) instructs recipients’ servers to take no action against emails that fail DMARC checks.

• The quarantine policy (represented by p=quarantine) instructs recipients’ servers to place potentially fraudulent emails in spam folders .

• The reject policy (represented by p=reject) instructs recipients’ servers to reject the entry of emails that fail DMARC checks.

Final Thoughts

The cyber-world is full of menaces, and now **even ethical hackers are misusing their knowledge and rights. So, be careful and vigilant of your security vulnerabilities. It’s better to watch a few videos and read online resources before getting intimidated and taking action hastily.

You can also contact us to fix DMARC issues or get started with DMARC reporting and monitoring.