Summary: Lookalike phishing domains and typosquatting attacks are becoming one of the biggest gaps in modern email security. While DMARC helps prevent unauthorized use of legitimate domains, it cannot detect attacker-owned infrastructure, making phishing domain detection and proactive domain disruption critical for modern digital risk protection.
Table of Contents:
You’ve implemented DMARC. Your domain is protected.
So why are attackers still successfully impersonating your brand? It’s a question we hear often.
In conversations with security and fraud leaders across industries, a consistent pattern has emerged: even as organizations strengthen email authentication, phishing campaigns continue to grow — and attackers are finding new ways to bypass traditional controls.
One practitioner from a financial services security team shared in a recent conversation with Netcraft that, even with mature email security programs, including DMARC and inbound filtering, they continue to see phishing campaign volumes growing.
Phishing isn’t declining as email authentication improves. Instead, attackers have shifted tactics, relying more heavily on attacker-owned infrastructure designed to appear legitimate from the start.
What DMARC Actually Protects (and What It Doesn’t)
DMARC has become a foundational part of modern email security for good reason. Combined with SPF and DKIM, it helps organizations verify whether messages claiming to come from their domain are actually authorized.
At a high level, DMARC serves two important purposes:
It authenticates senders using your domain
It prevents unauthorized use of your domain in email
For organizations struggling with email spoofing, that’s a meaningful improvement. DMARC reduces abuse of legitimate domains and gives security teams greater control over outbound email authentication.
Many organizations also face operational challenges with DMARC itself — gaining visibility into enforcement coverage, identifying misconfigurations, and understanding how authentication policies are applied across complex domain portfolios. Capabilities such as DMARC visualization and enforcement monitoring can help security teams strengthen email authentication posture and reduce exposure from unauthorized domain use.
But there’s an important limitation that often gets overlooked. DMARC only protects domains you already own and manage.
It does not stop attackers from registering entirely new domains designed to impersonate your brand. It cannot prevent newly registered domains, typosquatting domains, or brand impersonation infrastructure from being created and weaponized against customers, employees, or partners.
KEY TAKEAWAY: DMARC protects domains you control. Attackers target the brand identity those domains represent.
The Rise of Lookalike Domains as the Major Attack Vector
Attackers increasingly rely on attacker-owned infrastructure that appears legitimate both to users and to security controls.
Now, instead of impersonating brands through spoofed email alone, threat actors increasingly create infrastructure that looks legitimate from the start — registering deceptive domains, configuring email authentication correctly, and building phishing campaigns designed to blend into trusted digital environments.
These lookalike domains take many forms.
Some are classic typosquatting domains, where small visual changes are introduced to mimic a legitimate brand. A common example is replacing an “L” with a capital “I” to create a convincing fake domain such as paypaI.com.
Others combine brand names with keywords that imply urgency or legitimacy, such as customer support, account verification, or billing-related language. Regional variations are also increasingly common, using geography-specific naming conventions to appear more credible to localized audiences.
As one security leader described when reviewing a phishing campaign, attackers are no longer relying on basic spoofing.
“They've set up SPF, DKIM and DMARC records. So the emails are passing through most filters…they've done their diligence to make sure that emails can actually get through.”
For security teams, the challenge has expanded from preventing spoofing to identifying impersonation wherever it appears.
Attackers no longer need to bypass authentication controls when they control the domains being authenticated. That makes phishing domain detection significantly harder, especially for organizations relying solely on traditional email defenses.
Multiple Domains = Larger Attack Surface
The challenge becomes even more complicated at enterprise scale.
Most organizations aren’t protecting a single domain. They’re managing sprawling digital ecosystems that may include multiple brands, regional websites, legacy acquisitions, campaign-specific domains, and country-specific variations.
Each additional domain expands the attack surface.
Attackers understand this complexity and actively exploit it.
They look for blind spots: forgotten domains, inconsistent monitoring practices, brand variations that haven’t been fully inventoried, or newly registered infrastructure that slips through the cracks unnoticed.
And the challenge isn’t simply the number of domains. It’s the pace of change. New domains can be registered in minutes, infrastructure can be configured almost immediately, and phishing campaigns can launch before security teams even know suspicious assets exist.
In many cases, phishing campaigns succeed because visibility is fragmented across a rapidly growing domain landscape. Digital risk protection becomes significantly more complex at this scale.
Why Traditional Defenses Miss Lookalike Domains
Traditional defenses were built for a different threat model — one where malicious activity could be detected after an email arrived or an alert was triggered.
Email security platforms, for example, are primarily reactive. They analyze messages that make it into — or attempt to make it into — the inbox. That means detection often begins only after a campaign is already active.
Newly registered lookalike domains often exist outside traditional monitoring and enforcement workflows until campaigns are already active.
Meanwhile, many organizations still rely heavily on manual investigation and response. One organization described having to contact domain providers directly for takedowns, noting that resolution times can vary significantly depending on the case.
The result is a timing problem.
By the time a suspicious domain is identified, infrastructure may already be configured, phishing pages deployed, and malicious emails distributed. Customers may already have interacted with fraudulent content before remediation begins.
In a threat environment measured in hours — not weeks, that delay matters.
This is why domain monitoring alone is no longer enough. Security teams need to identify which domains are merely suspicious, which are configured for abuse, and which require immediate disruption.
The Lifecycle of a Lookalike Domain Attack
Modern phishing attacks are increasingly operationalized. Let’s look at the typical lifecycle of a lookalike domain attack:
Domain Registration: Attackers register a lookalike domain designed to closely mimic a trusted brand — often using typosquatting, keyword variations, or regional naming conventions to appear legitimate.
Infrastructure Configuration: The domain is made to look technically trustworthy. Attackers configure hosting, SSL certificates, and email authentication protocols such as SPF, DKIM, and DMARC to help the infrastructure pass legitimacy checks.
Phishing Deployment: Fraudulent content goes live. Attackers launch spoofed login pages, payment portals, credential harvesting forms, or fake support experiences designed to mirror the brand’s legitimate digital environment.
Distribution: The attack is activated and scaled through email, social media, SMS, messaging apps, search results, or other digital channels — driving victims to the malicious domain.
The result is phishing infrastructure designed to blend into trusted digital environments and evade reactive detection workflows. By the time a fraudulent domain is surfaced through reports or downstream security alerts, the campaign may already be active.
That’s why detecting malicious domains early — before campaigns are fully operationalized or widely distributed — has become a critical part of modern phishing defense.
Detecting Lookalike Infrastructure at Scale
If attackers are registering infrastructure faster than teams can manually investigate it, organizations need a different approach.
Effective phishing domain detection increasingly depends on identifying suspicious typosquatting domains and broader lookalike domains used in phishing campaigns before they become operational.
That starts with continuous monitoring to surface potential impersonation attempts early. Domains are registered, DNS records configured, certificates issued, and phishing environments staged days or even weeks before campaigns become visible to potential victims.
Security teams consistently describe their challenge not as a lack of data, but as a lack of actionable visibility — understanding which domains represent real threats and require immediate response.
The challenge is no longer simply finding domains. It’s knowing which ones matter, quickly enough to act. Effective phishing domain detection now requires:
Early Infrastructure Monitoring: Detect newly registered domains, DNS changes, SSL certificate issuance, and hosting signals before campaigns launch.
Threat Signal Correlation: Connect suspicious naming conventions, registrar behavior, hosting relationships, and infrastructure overlaps to distinguish real threats from noise.
Rapid Disruption Workflows: Accelerate takedowns through registrar and hosting relationships before phishing infrastructure scales.
Together, these capabilities allow organizations to move from reactive investigation to proactive disruption — identifying malicious infrastructure earlier and reducing the window attackers have to scale phishing campaigns.
Beyond DMARC: Disrupting Lookalike Infrastructure
Email authentication reduced direct domain spoofing, but phishing infrastructure has evolved faster than most defensive workflows.
Email authentication remains essential. DMARC, SPF, and DKIM have dramatically reduced one class of abuse and given organizations stronger control over how their domains are used. But phishing has moved beyond simple spoofing.
The operational challenge now is identifying which newly registered domains are likely being prepared for abuse and disrupting them before campaigns launch. That requires a different approach — one that doesn’t just surface data, but turns it into action.
This is where modern digital risk protection platforms come in.
Leading digital risk protection platforms increasingly focus on identifying malicious infrastructure before campaigns launch, helping organizations move from reactive response to proactive disruption. For instance, Netcraft’s AI-powered Preemptive Domain Disruption allows organizations to identify and disrupt domains configured for abuse before attacks are launched.
Because in today’s threat landscape, protecting your domain is only part of the equation. Organizations need to know when attackers are preparing infrastructure that could impersonate them, determine which domains are configured for abuse, and disrupt those assets before campaigns scale. Netcraft’s Preemptive Domain Disruption is built for that, moving protection left of live – before malicious domains become active phishing campaigns.
Frequently Asked Questions
What are the limitations of DMARC?
DMARC prevents unauthorized use of legitimate domains in email, but it does not identify or disrupt attacker-owned lookalike domains used in phishing campaigns.
What are lookalike domains?
Lookalike domains are domains registered by attackers to imitate trusted brands. These domains often use typosquatting, visual character substitutions, brand-plus-keyword combinations, or regional naming conventions to appear legitimate to customers and employees.
Why are lookalike phishing domains difficult to detect?
Many attacker-owned phishing domains are technically legitimate. Threat actors increasingly configure SPF, DKIM, and DMARC correctly on their own infrastructure, allowing phishing emails and websites to pass traditional legitimacy checks and blend into trusted digital environments.
Why do traditional email security defenses miss lookalike domains?
Traditional email security tools are largely reactive. They typically begin analysis only after phishing emails reach or attempt to reach inboxes. Since DMARC only applies to known, owned domains, newly registered fraudulent domains exist entirely outside its scope until they are discovered through investigation or downstream alerts.
How can organizations disrupt malicious phishing infrastructure before attacks launch?
Organizations increasingly rely on digital risk protection platforms that continuously monitor newly registered domains, DNS changes, SSL certificate issuance, hosting infrastructure, and other threat signals to identify malicious infrastructure early. Rapid disruption workflows and takedown capabilities help reduce the window attackers have to operationalize phishing campaigns at scale.
