Hello, I have access to a client’s GoDaddy account with over 400 domains and monitor DMARC for a subset of them. One domain in particular sees minimal legitimate traffic - approx. 10 emails/mo via Google Workspace, and has DMARC set to p=reject due to ongoing spoofing attempts.
About a week ago, we noticed an unexpected change to the SPF record. Previously, it only included Google servers. It was altered to: *v=spf1 include:spf.em.secureserver.net <http://spf.em.secureserver.net> include:_spf.google.com <http://spf.google.com> ~all* Upon checking the DNS zone, we also found two new CNAME records pointing to secureserver.net: https://shconsult.ing/cJg6dvzs. No internal stakeholders made these changes, and the domain has no history of using GoDaddy’s (or any other provider's) email services besides Google. We removed the unauthorized records. However, a few days later, they reappeared, and 2 SPF-aligned emails were sent from the domain, bypassing DMARC p=reject. A follow-up review confirmed only two people (myself included) had DNS access, and neither made the changes. This strongly suggests the modifications were made by GoDaddy or an affiliated system without owner consent. Given the domain is not used for communication, and the spoofing volume is high + the fact that the domain belongs to a well-known person in their field, this raises serious concerns. GoDaddy provides no DNS change logs, limiting our ability to investigate further. If anyone has experienced similar behavior or has contacts at GoDaddy who could assist, I’d greatly appreciate any insights. Thank you, Alex
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
