Detection Engineering

Phishing Detection Beyond DMARC

How to detect phishing beyond DMARC — lookalike domains, display-name spoofing, newly-registered senders, and BEC signals, with an SPL analytic and layered defenses.

A dark grid of cyan-glowing envelopes with one red flagged envelope, representing phishing detection
Threat reference

DMARC is necessary and not sufficient. SPF, DKIM, and DMARC stop one specific thing — someone spoofing your exact domain — and most modern phishing simply does not bother. It comes from a lookalike domain, a spoofed display name, a freshly registered sender, or a compromised legitimate account, and it sails past authentication because it is not pretending to be your domain at all. Detecting it means scoring the signals authentication ignores. This guide ships that layered approach.

Phishing maps to MITRE ATT&CK T1566 — Phishing. The durable end-state defense is phishing-resistant authentication (YubiKeys), so a harvested credential is worthless — but detection at the gateway catches the message before it reaches the user.

Why isn’t DMARC enough?

DMARC, built on SPF and DKIM, answers exactly one question: is this mail that claims to be from yourcompany.com actually authorized to use yourcompany.com? Enforced at reject, it shuts down direct domain spoofing — a real and worthwhile win. But it says nothing about a message from yourcompany-support.com, or one whose display name reads “CEO” from a Gmail address, or one from a partner’s compromised-but-legitimate mailbox. Those all pass authentication because they are not spoofing your domain.

That gap is where phishing lives now, and especially where business email compromise (BEC) operates — plausible messages, often with no malicious payload, engineered to move money or data. Catching them requires detection beyond the authentication layer.

What does phishing that passes DMARC look like?

TechniqueWhat it doesSignal to detect
Lookalike domainyourcompany-hr.com, homoglyphsSender domain string-similar to yours/partners
Display-name spoof”CFO” sent from [email protected]Executive name from an unrelated address
Newly-registered domainDomain registered days agoSender domain age very low
Compromised partnerReal account, attacker contentAnomalous behavior from a known sender
BEC / payload-freeWire-transfer request, no linkFinancial-urgency language, mismatched reply-to

None of these is caught by SPF/DKIM/DMARC, and several (BEC) have nothing for a content scanner to flag. The detection is sender reputation and behavioral signals, combined.

How to detect phishing beyond DMARC

Score inbound mail on the gateway signals authentication misses. Lookalike-domain and display-name impersonation are the highest-value:

SPL Lookalike-Domain or Display-Name Spoof Reaching the Inbox
index=email sourcetype=mail:gateway action=delivered
| eval sender_domain = lower(replace(from_address,"^[^@]+@",""))
| eval dom_distance = levenshtein(sender_domain, "yourcompany.com")
| lookup exec_names display_name OUTPUT is_exec
| where (dom_distance > 0 AND dom_distance <= 2)
   OR (is_exec="true" AND NOT match(sender_domain, "yourcompany\.com$"))
   OR (domain_age_days < 14)
| table _time, from_address, display_name, subject, dom_distance, domain_age_days

A sender domain one or two edits away from yours, an executive display name from outside your domain, or a sender domain registered in the last two weeks each warrants scrutiny. Combine them into a score and alert on the high end, rather than blocking on any single signal.

How to test your phishing detection

With your security team’s authorization (and a controlled phishing-simulation platform):

  1. Send test messages from a registered lookalike domain and confirm the analytic scores them.
  2. Send a display-name-spoof test from an external address and confirm it flags.
  3. Send a benign message from a legitimate new vendor and confirm enrichment keeps the false positives low.
  4. Confirm DMARC-at-reject blocks an exact-domain spoof outright (the layer below).

How to defend against phishing

  • User reporting + rapid takedown of lookalike domains closes the loop.
  • Out-of-band verification policy for any payment/data-change request (defeats BEC).
  • Monitor for your registered lookalikes proactively, before they are weaponized.

Common phishing-detection mistakes

  • Stopping at DMARC. It only covers exact-domain spoofing.
  • Single-signal blocking. Young domains and common names over-fire alone.
  • Ignoring payload-free BEC. Content scanning sees nothing; score the sender/behavior.
  • No phishing-resistant MFA. A harvested password stays useful without it.

Phishing detection beyond DMARC checklist

  1. Enforce DMARC at p=reject (with SPF and DKIM) as the base layer.
  2. Score senders on lookalike/homoglyph domain similarity to you and partners.
  3. Flag executive display names arriving from outside your domain.
  4. Flag newly-registered sender domains and mismatched reply-to.
  5. Combine signals into a risk score; route the high end to review.
  6. Sandbox links/attachments and banner external/first-contact senders.
  7. Deploy phishing-resistant MFA so harvested credentials are useless.
  8. Enable user reporting, lookalike-domain monitoring, and rapid takedown.

The takeaway

Phishing detection beyond DMARC means scoring the signals authentication ignores — lookalike domains, display-name spoofing, newly-registered senders, and BEC behavior — and layering that with sandboxing and phishing-resistant MFA. DMARC is the floor, not the ceiling. Continue with YubiKey deployment and OAuth misconfiguration review, or browse the full Detection Engineering pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to practice phishing analysis and email threat detectionSecurity Training
    Start training

Frequently asked questions

Why isn't DMARC enough to stop phishing?

DMARC, SPF, and DKIM only verify that mail claiming to be from your domain is authorized — they stop direct domain spoofing. They do nothing about lookalike domains, display-name spoofing, newly-registered sender domains, compromised third-party accounts, or business email compromise, which is where most modern phishing operates. You need detection layers beyond authentication.

How do you detect phishing that passes DMARC?

Score inbound mail on signals authentication misses: lookalike/homoglyph sender domains close to yours or your partners', display names that impersonate executives from unrelated addresses, newly-registered sender domains, mismatched reply-to, and urgent financial language. Combine these into a risk score rather than relying on any single signal.

What is business email compromise (BEC)?

BEC is a phishing attack where the message is plausible and often passes authentication — sent from a lookalike domain or a compromised legitimate account — to trick someone into a wire transfer or data disclosure. It frequently has no malicious link or attachment, so it evades content scanning and needs behavioral and sender-reputation detection.

How do you prevent phishing beyond DMARC?

Layer it: enforce DMARC at reject, then add lookalike-domain monitoring, newly- registered-domain blocking, attachment/link sandboxing, banner warnings for external and first-contact senders, and phishing-resistant MFA so a harvested password is useless. User reporting plus rapid takedown closes the loop.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.