Skip to content
Chimera readability score 0.4509 out of 100, reading level.

DMARC has changed email security. When a domain is at enforcement, attackers can’t send email that impersonates that domain and have it land in inboxes. That’s not a small thing, either. Exact-domain spoofing was one of the most effective phishing techniques available, and DMARC largely shut it down.
The problem is that attackers are persistent (and adaptable).
Now that exact-domain spoofing is harder, phishing campaigns have moved to methods that DMARC was never designed to address:
- Lookalike domains
- Display name impersonation
- Compromised third-party accounts
These attacks don’t trigger DMARC failures because they’re not using your domain. They’re just using something close enough to fool a distracted person checking email between meetings.
This is the gap that inbound protection addresses. It doesn’t replace what DMARC does (because that’s still necessary), but it covers the territory DMARC was never built to cover.
How inbound threats have evolved
The shift in attacker behavior tracks almost directly with the rise of DMARC enforcement. As more organizations locked down their domains, the methods that relied on exact-domain spoofing became less viable.
Unfortunately, their new methods are a more sophisticated set of techniques that exploit the parts of email security that are harder to automate and standardize.
Lookalike domains: the attack vector DMARC doesn’t touch
A lookalike domain is a domain that’s been registered to closely resemble a legitimate one. Think valirnail.com instead of valimail.com, or valimail-support.com instead of valimail.com. To a casual reader, especially in a mobile inbox where the full address is truncated, these can be nearly indistinguishable from the real thing.
Because the email is being sent from a legitimately registered domain (just not yours), DMARC has no reason to flag it. The sending domain may even have its own SPF and DKIM records in place, which means it passes authentication checks at the receiving server.
The attack is technically clean. The only problem is the intent behind it.
Lookalike domains are effective for targeted attacks against your employees, vendors, and customers. An attacker who registers a convincing lookalike can impersonate your finance team, IT helpdesk, or executive leadership, and the email will arrive looking authenticated.
That’s a massive risk that lives entirely outside the perimeter that DMARC protects.
Why secure email gateways have blind spots
Secure email gateways (SEGs) scan links, analyze attachments, apply reputation-based filtering, and catch known threat patterns before they reach your employees.
But SEGs are fundamentally pattern-matching systems.
They compare inbound mail against known threat signatures, reputation databases, and behavioral models. The challenge is that lookalike domain attacks, by their nature, often don’t match existing patterns. A newly registered lookalike domain has no reputation history. A smartly made phishing email with no malicious links or attachments gives the gateway very little to work with.
This isn’t a criticism of SEGs, though. They’re great (and very important), but they’re ultimately built to catch known threats and suspicious patterns. They’re less effective at catching a clean, well-crafted email sent from a domain that was registered last week specifically to target your organization.
That’s a different kind of problem, and it requires a different kind of visibility.
MTA-STS and why secure mail transport matters
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that allows your domain to declare that inbound email should be delivered over encrypted connections, and that mail servers should refuse to deliver if encryption isn’t available. Without MTA-STS, email in transit to your organization can be vulnerable to downgrade attacks, where a bad actor intercepts the connection and forces it to fall back to an unencrypted channel.
It’s the kind of risk that’s easy to overlook because it’s invisible in normal operations.
Mail arrives, everything looks fine, and there’s no indication that the delivery path was anything other than secure. MTA-STS enforces the security you intend to have, rather than assuming it’s happening by default.
How Valimail closes the inbound visibility gap
Closing inbound blind spots requires a different kind of data than what DMARC reports provide. You need visibility into what’s actually arriving in your employees’ inboxes, and the ability to identify threat patterns before they result in a successful attack.
Mailbox connectors and Helios
Valimail’s mailbox connectors (part of Helios, Valimail’s patented service identification technology) integrate directly with Microsoft 365 and Google Workspace to provide visibility into inbound email activity that no external monitoring system can see.
Through a read-only API connection, Helios parses email headers from inbound messages to identify services sending into your environment on behalf of your domain. This includes internal-only sending services (like payroll platforms, HR systems, or internal IT tools) that send email to your employees but never appear in external DMARC reports.
These are the services that could be blocked when a domain moves to enforcement, and the ones that most DMARC solutions are completely blind to.
Beyond service identification, Valimail’s inbound detection surfaces active threats targeting your organization. The Active Threats dashboard shows you:
- Lookalike domains that have been detected sending to your employees
- How many recipients have been targeted
- When the activity was first observed
Rather than finding out about a lookalike campaign after someone clicks a link, you get visibility into the threat as it’s developing — with the ability to report domains for takedown, flag them for your SEG, or add them to your monitoring list.
This is where Valimail and your SEG work together.
The SEG filters what it can see. Valimail surfaces the identity-based threats that the SEG doesn’t have the context to catch, such as lookalike domains, impersonation patterns, and inbound services that wouldn’t otherwise appear in your reporting.
Together, they cover the full picture in a way that neither can alone.
MTA-STS enforcement fits into this same framework. Valimail helps you implement and maintain MTA-STS so that your intended security is actually applied instead of simply assumed.
See what’s targeting your organization
Valimail Monitor gives you free visibility into your domain’s authentication status and the services sending on your behalf. It’s a good starting point for understanding your current exposure. Sign up for free to get started.
And for teams that want active threat detection, lookalike domain monitoring, and mailbox connector visibility, Valimail Enforce goes further to give you inbound protection that DMARC alone was never designed to provide.
Frequently asked questions
Does DMARC protect against lookalike domain attacks?
No. DMARC is designed to prevent exact-domain spoofing. Lookalike domain attacks use a different domain that closely resembles yours, which means DMARC has no grounds to flag them. Catching these attacks requires a different kind of visibility into inbound email activity. You can find lookalike domains for your organization with Valimail’s free lookalike domain checker.
Do I still need a secure email gateway if I have Valimail?
Yes, and we’d never suggest otherwise. SEGs and Valimail address different parts of the inbound threat landscape. SEGs are effective at filtering known threats, malicious attachments, and suspicious links. Valimail surfaces identity-based threats (lookalike domains, impersonation attempts, and inbound sending services) that SEGs don’t have the context to catch.
What is MTA-STS, and do I need it?
MTA-STS is a standard that tells sending mail servers to deliver email to your domain over encrypted connections only. Without it, your inbound mail is potentially vulnerable to downgrade attacks that force delivery over unencrypted channels. It’s one of those requirements that’s easy to overlook because everything appears to work without it, but it closes a real gap in how securely email actually reaches your organization.
What are mailbox connectors, and how do they work?
Valimail’s mailbox connectors integrate directly with Microsoft 365 and Google Workspace via a read-only API connection. They parse inbound email headers to identify services sending into your environment and include internal-only senders that never appear in external DMARC reports. This gives you visibility into your full email ecosystem.
How does Valimail detect lookalike domains?
Valimail’s inbound detection continuously monitors for domains that closely resemble yours and have been observed sending email to your employees. When a lookalike domain is detected, it appears in the Active Threats dashboard with information about how many recipients were targeted and when the activity started. From there, you can report the domain for takedown, flag it for your SEG, or add it to your monitoring list.

Facts Only

Attackers adapt to changes in email security measures, using lookalike domains, display name impersonation, and compromised third-party accounts when exact-domain spoofing becomes harder.
DMARC does not protect against lookalike domain attacks because these attacks use different but similar domains.
Secure email gateways have blind spots when it comes to detecting lookalike domain attacks due to their reliance on pattern matching.
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that helps ensure inbound email delivery over encrypted connections and refuses delivery if encryption isn't available.
Valimail provides visibility into inbound email activity through mailbox connectors, allowing organizations to identify active threats such as lookalike domains, impersonation patterns, and inbound services that wouldn't otherwise appear in reporting.

Executive Summary

Email security has been significantly impacted by DMARC, a protocol that helps prevent exact-domain spoofing in phishing attempts. However, as attackers adapt, they have shifted to methods not addressed by DMARC, such as lookalike domains, display name impersonation, and compromised third-party accounts. These tactics exploit email security's harder-to-automate areas and are difficult for current systems to detect.
To address this gap in protection, inbound protection is introduced. It does not replace DMARC but covers the territory DMARC was not designed for. The rise of these new phishing techniques aligns with the increase in DMARC enforcement, indicating an evolution in attacker behavior.
Secure email gateways have blind spots when it comes to lookalike domain attacks due to their reliance on pattern matching. MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that can help close this gap by requiring encrypted connections for inbound email delivery and refusing delivery if encryption isn't available.
Valimail, a service, provides inbox visibility through mailbox connectors and Helios, allowing organizations to identify active threats such as lookalike domains, impersonation patterns, and inbound services that wouldn't otherwise appear in reporting. This combined with secure email gateways provides comprehensive protection. MTA-STS enforcement also fits into this framework, helping ensure intended security is applied instead of assumed.

Full Take

Skeptical Mode:
Steelman - The article presents a balanced analysis of the evolution of phishing techniques and the limitations of current security measures. It introduces MTA-STS and Valimail as potential solutions to address these gaps in protection.
Patterns detected: ARC-0043 Motte-and-Bailey (the article presents both problems and solutions without fully addressing the challenges in implementation and long-term effectiveness).
Root Cause - The continuous cat-and-mouse game between cybersecurity measures and attackers highlights the need for ongoing innovation and adaptability in digital defense strategies.
Implications - Organizations must stay vigilant against evolving phishing tactics and invest in comprehensive solutions like MTA-STS and Valimail to protect their digital assets. This requires continuous monitoring, education, and collaboration between security professionals, service providers, and regulatory bodies.
Bridge Questions - How can organizations effectively implement and maintain these new protective measures? What role should governments play in regulating cybersecurity standards and practices? How can we ensure that these solutions are accessible to businesses of all sizes?