A marketing vendor managing DNS refused to remove their DMARC record on a sending subdomain, redirecting DMARC reports to third parties and blocking our visibility into that email traffic. While the root domain remains monitored, the subdomain becomes a blind spot, creating security and data exposure risks. A reminder that DNS and DMARC ownership should never be delegated without clear controls.
A 3rd party has deliberately blocked our ability to monitor DMARC reports for email sent from OUR domain.
DNS is managed by a marketing vendor, who claims this control is required for the website and ad to function correctly. This vendor is sending email traffic from a subdomain via Mailgun.
While DMARC for the root domain is configured and delivers aggregate reports to us, the vendor refuses to remove the DMARC configuration on the subdomain, stating that doing so would “break” their email setup.
As a result, DMARC data for our domain is being redirected to 3rd party providers without our authorization, while we are prevented from accessing visibility into the subdomain’s email performance, authentication results, and security posture.
This creates a data exposure risk, as hashtag#DMARC telemetry related to our domain is disclosed to external parties without consent. It also reduces our ability to protect the organization from domain abuse.
Revoking hashtag#DNS / NS delegation would disrupt the website, marketing, and rev-gen systems...
A good reminder to choose vendors carefully, as security risks often originate outside the organization.
