DMARC has changed email security. When a domain is at enforcement, attackers can’t send email that impersonates that domain and have it land in inboxes. That’s not a small thing, either. Exact-domain spoofing was one of the most effective phishing techniques available, and DMARC largely shut it down.
The problem is that attackers are persistent (and adaptable).
Now that exact-domain spoofing is harder, phishing campaigns have moved to methods that DMARC was never designed to address:
- Lookalike domains
- Display name impersonation
- Compromised third-party accounts
These attacks don’t trigger DMARC failures because they’re not using your domain. They’re just using something close enough to fool a distracted person checking email between meetings.
This is the gap that inbound protection addresses. It doesn’t replace what DMARC does (because that’s still necessary), but it covers the territory DMARC was never built to cover.
How inbound threats have evolved
The shift in attacker behavior tracks almost directly with the rise of DMARC enforcement. As more organizations locked down their domains, the methods that relied on exact-domain spoofing became less viable.
Unfortunately, their new methods are a more sophisticated set of techniques that exploit the parts of email security that are harder to automate and standardize.
Lookalike domains: the attack vector DMARC doesn’t touch
A lookalike domain is a domain that’s been registered to closely resemble a legitimate one. Think valirnail.com instead of valimail.com, or valimail-support.com instead of valimail.com. To a casual reader, especially in a mobile inbox where the full address is truncated, these can be nearly indistinguishable from the real thing.
Because the email is being sent from a legitimately registered domain (just not yours), DMARC has no reason to flag it. The sending domain may even have its own SPF and DKIM records in place, which means it passes authentication checks at the receiving server.
The attack is technically clean. The only problem is the intent behind it.
Lookalike domains are effective for targeted attacks against your employees, vendors, and customers. An attacker who registers a convincing lookalike can impersonate your finance team, IT helpdesk, or executive leadership, and the email will arrive looking authenticated.
That’s a massive risk that lives entirely outside the perimeter that DMARC protects.
Why secure email gateways have blind spots
Secure email gateways (SEGs) scan links, analyze attachments, apply reputation-based filtering, and catch known threat patterns before they reach your employees.
But SEGs are fundamentally pattern-matching systems.
They compare inbound mail against known threat signatures, reputation databases, and behavioral models. The challenge is that lookalike domain attacks, by their nature, often don’t match existing patterns. A newly registered lookalike domain has no reputation history. A smartly made phishing email with no malicious links or attachments gives the gateway very little to work with.
This isn’t a criticism of SEGs, though. They’re great (and very important), but they’re ultimately built to catch known threats and suspicious patterns. They’re less effective at catching a clean, well-crafted email sent from a domain that was registered last week specifically to target your organization.
That’s a different kind of problem, and it requires a different kind of visibility.
MTA-STS and why secure mail transport matters
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that allows your domain to declare that inbound email should be delivered over encrypted connections, and that mail servers should refuse to deliver if encryption isn’t available. Without MTA-STS, email in transit to your organization can be vulnerable to downgrade attacks, where a bad actor intercepts the connection and forces it to fall back to an unencrypted channel.
It’s the kind of risk that’s easy to overlook because it’s invisible in normal operations.
Mail arrives, everything looks fine, and there’s no indication that the delivery path was anything other than secure. MTA-STS enforces the security you intend to have, rather than assuming it’s happening by default.
How Valimail closes the inbound visibility gap
Closing inbound blind spots requires a different kind of data than what DMARC reports provide. You need visibility into what’s actually arriving in your employees’ inboxes, and the ability to identify threat patterns before they result in a successful attack.
Mailbox connectors and Helios
Valimail’s mailbox connectors (part of Helios, Valimail’s patented service identification technology) integrate directly with Microsoft 365 and Google Workspace to provide visibility into inbound email activity that no external monitoring system can see.
Through a read-only API connection, Helios parses email headers from inbound messages to identify services sending into your environment on behalf of your domain. This includes internal-only sending services (like payroll platforms, HR systems, or internal IT tools) that send email to your employees but never appear in external DMARC reports.
These are the services that could be blocked when a domain moves to enforcement, and the ones that most DMARC solutions are completely blind to.
Beyond service identification, Valimail’s inbound detection surfaces active threats targeting your organization. The Active Threats dashboard shows you:
- Lookalike domains that have been detected sending to your employees
- How many recipients have been targeted
- When the activity was first observed
Rather than finding out about a lookalike campaign after someone clicks a link, you get visibility into the threat as it’s developing — with the ability to report domains for takedown, flag them for your SEG, or add them to your monitoring list.
This is where Valimail and your SEG work together.
The SEG filters what it can see. Valimail surfaces the identity-based threats that the SEG doesn’t have the context to catch, such as lookalike domains, impersonation patterns, and inbound services that wouldn’t otherwise appear in your reporting.
Together, they cover the full picture in a way that neither can alone.
MTA-STS enforcement fits into this same framework. Valimail helps you implement and maintain MTA-STS so that your intended security is actually applied instead of simply assumed.
See what’s targeting your organization
Valimail Monitor gives you free visibility into your domain’s authentication status and the services sending on your behalf. It’s a good starting point for understanding your current exposure. Sign up for free to get started.
And for teams that want active threat detection, lookalike domain monitoring, and mailbox connector visibility, Valimail Enforce goes further to give you inbound protection that DMARC alone was never designed to provide.
Frequently asked questions
Does DMARC protect against lookalike domain attacks?
No. DMARC is designed to prevent exact-domain spoofing. Lookalike domain attacks use a different domain that closely resembles yours, which means DMARC has no grounds to flag them. Catching these attacks requires a different kind of visibility into inbound email activity. You can find lookalike domains for your organization with Valimail’s free lookalike domain checker.
Do I still need a secure email gateway if I have Valimail?
Yes, and we’d never suggest otherwise. SEGs and Valimail address different parts of the inbound threat landscape. SEGs are effective at filtering known threats, malicious attachments, and suspicious links. Valimail surfaces identity-based threats (lookalike domains, impersonation attempts, and inbound sending services) that SEGs don’t have the context to catch.
What is MTA-STS, and do I need it?
MTA-STS is a standard that tells sending mail servers to deliver email to your domain over encrypted connections only. Without it, your inbound mail is potentially vulnerable to downgrade attacks that force delivery over unencrypted channels. It’s one of those requirements that’s easy to overlook because everything appears to work without it, but it closes a real gap in how securely email actually reaches your organization.
What are mailbox connectors, and how do they work?
Valimail’s mailbox connectors integrate directly with Microsoft 365 and Google Workspace via a read-only API connection. They parse inbound email headers to identify services sending into your environment and include internal-only senders that never appear in external DMARC reports. This gives you visibility into your full email ecosystem.
How does Valimail detect lookalike domains?
Valimail’s inbound detection continuously monitors for domains that closely resemble yours and have been observed sending email to your employees. When a lookalike domain is detected, it appears in the Active Threats dashboard with information about how many recipients were targeted and when the activity started. From there, you can report the domain for takedown, flag it for your SEG, or add it to your monitoring list.
