The shift in email security over the last few years has been a classic case of “squeezing the balloon.” As global standards and mailbox providers finally forced the hand of major enterprises to adopt p=reject policies, the front door to the inbox essentially slammed shut for bulk phishers. But in 2026, the industry is witnessing a sophisticated pivot. Attackers aren’t trying to kick down the front door anymore; they are climbing through the unlocked windows of neglected subdomains.
This phenomenon, now widely dubbed “Subdomailing”, represents a critical oversight in how we manage brand assets. It turns out that while we were busy securing brand.com, we left campaign-2022.brand.com and dev-test-server.brand.com completely exposed.
sp=reject is not the same as p=reject.
The technical root of the subdomailing crisis often traces back to a single missing tag in a DMARC record. Many IT teams assume that a primary domain policy would naturally cascade down to every child domain. In the early days of DMARC implementation, this was a safe-ish bet, but the protocol allows for a specific Subdomain Policy (sp) tag.
If an organization publishes a record like v=DMARC1; p=reject;, but neglects to define the sp tag, the default behavior can be dangerously inconsistent. Attackers have developed automated scanners specifically to hunt for domains where the root is locked down but the subdomains are left in p=none or are simply undefined. By sending mail from a non-existent but technically “valid” subdomain, attackers can piggyback on the high reputation of the parent domain while bypassing the very “reject” policy intended to stop them.
The danger of dangling CNAMEs.
The mechanics of these takeovers often rely on “Dangling CNAMEs.” This is the digital equivalent of a ghost property. In a modern cloud-first environment, companies constantly point subdomains to third-party services like Shopify, Zendesk, or Azure buckets. When a marketing campaign ends or a tool is swapped out, the subscription is canceled, but the DNS record often remains, pointing into the void.
An attacker simply identifies these dangling pointers, registers the corresponding account name on the third-party service, and suddenly, they effectively own a piece of your corporate infrastructure. Because the CNAME record in your DNS still points to that service, the attacker can now generate valid SPF and DKIM signatures. To any receiving mail server in 2026, the resulting phishing email looks like a perfectly authenticated communication from your brand.
Shadow IT
In the rush to stay competitive, departments outside of IT frequently spin up microsites or experimental tools. These assets are rarely cataloged. When the project team moves on, the forgotten subdomain becomes a ticking time bomb.
For attackers, subdomailing is the ultimate workaround for strong primary-domain DMARC policies. They no longer need to “spoof” your domain in the traditional sense. They are, for all intents and purposes, authorized to send from your infrastructure. This makes the emails nearly impossible for traditional filters to catch, as they carry the full weight of your organization’s hard-earned domain reputation.
Closing the windows
As we move deeper into 2026, the strategy for email defense must evolve from static policy-setting to active attack surface management. This means moving beyond a simple p=reject on the root and ensuring that sp=reject is explicitly declared. More importantly, it requires a continuous, automated audit of DNS records to prune dangling CNAMEs before they can be harvested.
The era of “set and forget” email security is over. If your organization hasn’t audited its subdomains in the last six months, you might already be unknowingly hosting a spam operation.
Need help with your DMARC setup?
Learn more about 101domain’s Managed DMARC Services and let us do the heavy lifting for you. We handle policy setup, monitoring, and reporting so you can rest easy knowing your emails are secure.
