In the world of email deliverability, discussions often focus on content quality, engagement metrics, and authentication protocols such as SPF, DKIM, and DMARC. However, an often-overlooked layer of email security lies deeper in the infrastructure: DNS.

This topic was explored in the CSA Live Webinar “DNS Hygiene: Dangling Records, Risks, and Mitigation,” initiated by DMARC Advisor.

If you would like to watch the full session, the webinar recording is available on YouTube.

The session was moderated by Patrick Koetter, Leader of the Competence Groups Anti-Abuse and Email at eco – Association of the Internet Industry, and featured contributions from Tom Kinstler (Chief Relationship Officer, Lexsynergy), Thomas Küchenthal (CTO, Lemarit), and Mo Zaman (Consultant, DMARC Advisor).

The discussion highlighted how so-called dangling DNS records can expose even well-known brands to phishing campaigns, reputation damage, and large-scale email abuse.

What Is DNS Dangling?

To understand the risk, it is helpful to first look at the role DNS plays on the internet. DNS acts as a mapping system that translates human-readable domain names into machine-readable IP addresses. Without it, users would need to remember numeric server addresses rather than domain names.

A common DNS record type used across cloud and SaaS environments is the CNAME (Canonical Name) record. A CNAME acts as an alias that redirects one domain or subdomain to another domain. In practice, it tells DNS resolvers: do not resolve the resource here, but follow the reference to another location instead.

This mechanism is widely used for external services such as cloud hosting, marketing platforms, analytics tools, and content delivery networks.

Problems arise when the external resource disappears while the DNS record remains in place.

DNS dangling (sometimes called orphaned DNS records) occurs when a DNS entry continues pointing to a destination that has been deleted, expired, or decommissioned. The DNS “signpost” still exists, but the service it once referenced is no longer under the organisation’s control.

If attackers discover such abandoned references, they may be able to register or recreate the target resource and effectively take control of the associated subdomain.

The Anatomy of an Exploit

One example highlighted during the webinar involved a marketing campaign connected to the domain msn.com.

In the early 2000s, Microsoft and Martha Stewart launched an online campaign that used a dedicated campaign domain. A CNAME record linked a subdomain of msn.com to this campaign domain.

After the campaign ended, the domain registration eventually expired. However, the CNAME record pointing to it remained active.

Years later, attackers identified the dangling reference. By simply registering the expired campaign domain, they gained control over the associated MSN subdomain.

With that control, they were able to:

• Configure their own SPF and DKIM authentication records
• Send large volumes of authenticated emails
• Exploit the reputation of the msn.com domain

Because the messages appeared to originate from a trusted domain, they were far more likely to bypass spam filtering and reach recipients’ inboxes.

DNS Dangling and Email Authentication

DNS dangling becomes particularly dangerous in the context of email authentication.

Technologies such as SPF, DKIM, and DMARC rely entirely on DNS records. If attackers gain control over a subdomain through a dangling record, they may also be able to configure authentication settings for that domain.

In such scenarios, malicious emails can technically pass authentication checks while still being controlled by attackers.

Another risk discussed in the webinar is SPF over-authorization. This occurs when organisations authorize large IP ranges from third-party providers that they no longer actively use.

If an IP address within those ranges is later assigned to another customer of the same hosting provider, that customer could theoretically send emails that pass SPF validation for the original domain.

Combined with tactics such as snowshoeing—spreading email traffic across many IP addresses—this technique allows attackers to distribute large phishing campaigns while appearing technically legitimate.

The Business Impact

DNS dangling is not just a technical misconfiguration. It can have immediate operational and reputational consequences.

Subdomain takeovers and DNS abuse have been documented across industries, affecting even well-known brands and cybersecurity vendors. Once attackers gain control of a trusted subdomain, they can host phishing pages, redirect traffic, or distribute malicious content under the organisation’s brand.

The impact can include:

• Reputation damage caused by large-scale phishing campaigns
• Blocklisting or filtering by mailbox providers
• Loss of email deliverability for legitimate business communication
• Erosion of customer trust when attacks appear to originate from the brand itself

In severe cases, organisations may temporarily lose the ability to communicate with customers, partners, or suppliers via email while reputation issues are investigated and resolved.

Preventing Dangling DNS

The encouraging news is that most dangling DNS vulnerabilities are preventable. They rarely result from sophisticated attacks and are more often caused by operational oversight.

Several practical measures can significantly reduce the risk.

1. Implement DNS Lifecycle Management

Every DNS record should have a defined lifecycle. When cloud services, SaaS tools, or marketing campaigns are retired, associated DNS entries should be removed as part of the decommissioning process.

2. Regularly Audit DNS Records

DNS zones often grow over time as services are added or replaced. Regular reviews help identify outdated records, unused integrations, and unnecessary authorizations.

3. Maintain Tight SPF Configuration

SPF records should authorize only the infrastructure that is actively sending email. Limiting includes and unnecessary IP ranges reduces the risk of unauthorized sending.

4. Monitor Authentication Data

DMARC reports can provide valuable insight into unexpected sending sources or unusual traffic patterns. Sudden increases in email volume from unknown infrastructure may indicate abuse.

5. Use Shorter TTL Values

Shorter DNS time-to-live (TTL) values allow changes to propagate more quickly across the internet. This enables faster response if a record needs to be corrected or removed.

Key Takeaways

To reduce the risk of dangling DNS vulnerabilities, organisations should focus on five core practices:

• Define clear DNS policies and processes to control how records are created, modified, and removed.
• Ensure processes are consistently followed, particularly when decommissioning SaaS services, campaigns, or cloud infrastructure.
• Regularly review DNS zones to identify outdated or unused records.
• Continuously monitor DNS infrastructure, including authentication data such as DMARC reports.
• Protect your brand online by maintaining strong DNS hygiene and preventing opportunities for domain or subdomain abuse.

DNS Hygiene as a Foundation of Trust

DNS is often invisible to end users, yet it underpins nearly every digital interaction—from web access to email authentication.

Dangling DNS records demonstrate how small operational gaps can evolve into significant security and reputation risks. A single forgotten entry may allow attackers to impersonate trusted domains, launch phishing campaigns, and damage brand credibility.

For organisations that rely on email as a core communication channel, DNS hygiene is not just an infrastructure task; it is a fundamental requirement for maintaining deliverability, trust, and long-term sender reputation.

If you have further questions about DNS hygiene or dangling DNS records, feel free to reach out to the webinar speakers or get in touch with the CSA team.