Phishing Reconnaissance: How Attackers Identify and Target Vulnerable Domains

Most people imagine phishing as a numbers game – blast millions of emails and wait for someone to click. Some campaigns still work that way. But the attacks that do real damage, the ones that land in corporate inboxes and fool trained employees, almost never start with a sent message. They start with research.

Phishing reconnaissance is the structured process attackers use to profile a target domain before a single email is written. They examine authentication records, DNS configuration, subdomain footprint, and the complexity of the sending environment. The goal is straightforward: find the domains where a spoofed message has the best chance of bypassing filters and reaching a real inbox.

According to the APWG, over one million phishing attacks were recorded in Q1 2025 alone, and the FBI’s 2024 IC3 report lists phishing and spoofing as the top complaint category. What makes this volume possible is that the reconnaissance phase requires no special access, no exploits, and no privileged tools. It relies almost entirely on publicly available information. Understanding what attackers can see about your domain – using the same tools they use – is the most direct way to close the gaps they rely on.

What Is Phishing Reconnaissance?

Phishing reconnaissance is the pre-attack phase in which a threat actor collects publicly available information about a target to maximize the probability that their campaign succeeds. It is a form of OSINT (Open Source Intelligence) – gathering data from sources that are already publicly accessible without requiring any direct attack or unauthorized access.

In the context of email-based phishing, reconnaissance focuses on three things: understanding the target domain’s authentication posture, mapping its full sending and subdomain infrastructure, and identifying the weakest point from which a spoofed email is most likely to pass through filtering and reach an inbox. A domain running weak or absent authentication controls, with unmonitored subdomains and a complex undocumented sender environment, is the ideal target.

The tools used in this phase – DNS lookup tools, certificate transparency logs, subdomain enumerators, WHOIS records, and email verification services – are all free, publicly documented, and require no technical expertise to operate. The barrier to running phishing reconnaissance against any domain is low. The barrier to defending against it is also low if you know what to look for.

Phase 1: Checking the Domain’s Authentication Posture

The first thing a phishing operator checks is the domain’s DMARC record. This takes seconds using any free DNS lookup tool and immediately reveals the enforcement level in place.

DMARC policy lookup

What attackers are hoping to find is p=none, or no DMARC record at all. A domain at p=none has published a DMARC record – which means some monitoring is in place – but has instructed every receiving mail server to take no action when an email fails authentication. In practical terms, an attacker can send a spoofed email from that domain, the receiving server can detect that it is unauthenticated, and still deliver it because the domain’s own policy says not to block it.

Domains with no DMARC record at all are even more exposed. There is no policy instruction, no aggregate reporting, and no forensic visibility. Attackers actively scan for these and prioritize them as spoofing targets precisely because the domain owner has no mechanism to detect or block impersonation attempts.

p=none is a common starting point for organizations working through authentication setup – a reasonable place to begin monitoring before moving to enforcement. The problem is that many organizations start there and never advance. Domains that have been live for months or years at p=none are a well-documented, frequently targeted class in phishing campaigns.

SPF record inspection

After DMARC, attackers check the SPF record. A well-configured SPF record lists every server authorized to send on behalf of the domain and ends with -all, instructing receiving servers to reject anything not on that list. What attackers look for is a permissive SPF record ending in ~all (soft fail, which still delivers the message) or +all (which authorizes any sender), or an SPF record that has exceeded the ten DNS lookup limit, causing it to fail entirely.

An SPF record that ends in ~all instead of -all is a subtle but meaningful gap: receiving servers treat soft fails as suspicious but still typically deliver the message, particularly when DMARC is not at enforcement. Attackers who identify this combination – SPF with ~all and DMARC at p=none – know that spoofed emails from the domain will, in most cases, reach the inbox.

DKIM configuration check

DKIM is slightly harder to inspect directly, since a DKIM public key lookup requires knowing the selector in use. But attackers can infer DKIM configuration from DMARC aggregate reports and from observed email headers in any message legitimately sent by the target domain. Headers captured from LinkedIn notifications, press release subscriptions, or marketing emails reveal the DKIM selector and signing domain in use. Once an attacker knows the selector, they can query the public key and confirm whether DKIM signing is active and consistent.

Domains that sign inconsistently – where some sending sources authenticate with DKIM and others do not – are particularly attractive. DMARC alignment requires at least one of SPF or DKIM to pass with identifier alignment. A domain where some traffic authenticates and some does not is exactly the kind of environment where spoofed traffic blends in with legitimate failures.

Phase 2: Mapping the Subdomain and Domain Footprint

Domain authentication checks target the primary domain. But most organizations have a much larger domain footprint than is actively monitored – and phishing reconnaissance is designed to find it.

Certificate transparency log enumeration

Every SSL/TLS certificate issued for a domain is publicly logged in certificate transparency (CT) logs, which are open and queryable by anyone. Tools like crt.sh allow an attacker to query the full certificate history for a domain in seconds, revealing every subdomain that has ever had a certificate issued for it – including development environments, staging servers, regional microsites, and long-forgotten campaign pages.

This is one of the most powerful passive reconnaissance techniques available because it is comprehensive and historical. Subdomains that have since been decommissioned but were once issued certificates still appear in CT logs. An attacker can build a complete historical picture of an organization’s subdomain footprint without sending a single packet to the target.

Subdomain enumeration

Beyond CT logs, passive DNS databases, and subdomain brute-force tools can surface additional subdomains. Subdomain hijacking – where a forgotten subdomain’s DNS record still points to a decommissioned service that an attacker can claim – is a documented attack pattern that reconnaissance specifically looks for. A subdomain with a dangling CNAME record pointing to an expired third-party service can be taken over and used to send phishing emails that appear to originate from the legitimate organization.

Subdomains are particularly valuable for phishing because they tend to fall outside the authentication scope that security teams have configured. A domain where the primary sending domain has DMARC enforcement, but subdomains are not covered by the DMARC sp tag, leaves every subdomain open for spoofing, regardless of what the primary policy says.

WHOIS and domain registration history

WHOIS records reveal registration dates, registrar information, and in some cases registrant details. Domain age is a signal attackers use to assess whether a domain has the kind of established sending history that makes spoofed traffic harder to filter. They also use WHOIS to identify related domains registered by the same organization – acquisition domains, brand-protection registrations, regional variants – that may not be actively monitored.

Phase 3: Analyzing the Sender Environment

A domain’s sender environment – the full set of services and platforms authorized to send email on its behalf – is visible through DMARC aggregate reports and can be partially inferred from publicly observable email headers. For phishing operators, a complex or poorly documented sender environment is an exploitable condition.

Third-party sender complexity

Modern organizations typically send email from many sources: a primary mail server, a marketing platform, a CRM like HubSpot, a ticketing system, a billing provider, a calendar tool. Each requires explicit authorization in the SPF record and DKIM configuration. Each generates entries in DMARC aggregate reports. For large organizations, those reports can contain thousands of rows per day across dozens of sending sources.

This volume creates noise, and phishing operators exploit it deliberately. When an organization’s DMARC aggregate data shows forty authorized senders, the signal-to-noise ratio for detecting an anomalous source drops significantly. Low-volume spoofing traffic – a few hundred messages per day from a malicious source – can blend into the reporting data of a busy enterprise sending environment without triggering automated alerts.

Exposed email headers

Legitimate emails sent from the target domain are one of the most useful sources of sender environment intelligence available to a phishing operator. Marketing newsletters, press release subscriptions, job application confirmations, and customer notifications all carry email headers that reveal the sending infrastructure in use: the mail transfer agent, the DKIM selector and signing domain, the Return-Path domain, and the authentication results logged by the receiving server.

An attacker who subscribes to a target organization’s marketing list gets a detailed view of its authentication configuration at no cost and with no detectable activity. This intelligence directly informs how the phishing campaign is constructed – which sending source to impersonate, which headers to forge, and which authentication gaps are likely to let the message through.

Phase 4: Pre-Launch Target Validation

Once a domain has been profiled, phishing operators run additional checks before launching a campaign to maximize success and minimize wasted infrastructure.

Email address verification

Operators validate that target email addresses are active and belong to high-value individuals – executives, finance team members, anyone with access to sensitive systems or authorization to approve payments. Sending to dead addresses generates high bounce rates, which can trigger spam scoring on the sending infrastructure and raise detection risk before the campaign reaches its real targets.

Email addresses are frequently harvested from LinkedIn, company websites, data breach dumps, and prior campaigns. Tools like theHarvester automate this enumeration against a target domain, pulling employee email addresses from search engine results, social media, and public directories.

Sending infrastructure warmup

Most major mailbox providers weigh sending history as a trust signal. A newly registered domain with no sending history is far more likely to be flagged by reputation-based filters than an established one. This is why phishing operators frequently register lookalike domains weeks or months before a campaign and run low-volume sending activity to build a baseline reputation before scaling up.

The warmup phase is designed to pass the same reputation checks that legitimate senders use when onboarding new domains. From the outside, the infrastructure looks like a new business or service beginning to send email. By the time the campaign launches, the domain has cleared the initial reputation filters.

Homoglyph and lookalike domain construction

According to CSC’s Domain Security Report, 88% of homoglyph domains targeting major brands are owned by third parties. These domains substitute or insert near-identical characters to pass a quick visual check – “arnazon.com” instead of “amazon.com,” or Unicode characters that render identically to Latin letters in most email clients.

Lookalike domains are also constructed for display-name impersonation – where the From header shows a trusted name, but the actual sending domain is a lookalike. This technique bypasses DMARC entirely, since DMARC only authenticates the domain in the From header against SPF and DKIM, not the display name. It is one reason why DMARC enforcement alone, while essential, is not the only layer needed.

Turning Phishing Reconnaissance into a Defensive Advantage

Every signal that phishing reconnaissance looks for is a signal your security team can audit and monitor with the same publicly available tools. The goal is to ensure that when an attacker profiles your domain, they find nothing worth targeting – full authentication enforcement, a documented sender environment, and no abandoned subdomain assets.

Audit DMARC policy across all domains and subdomains

Start by pulling DMARC records for your primary domain and every subdomain you can identify. Any domain still at p=none that has been live for more than a few months is a priority. The path from p=none to p=reject does not need to happen overnight, but it must be on a defined timeline – not left indefinitely in monitoring mode.

Configure the DMARC sp tag explicitly to extend enforcement to subdomains. Inactive subdomains with no legitimate sending traffic should be set to p=reject immediately. There is no reason to leave enforcement at none for a domain that is not sending anything.

Validate and tighten your SPF record

Run an SPF record lookup on your domain and confirm that every listed sender is still actively used and correctly authorized. Change any ~all qualifier to -all where your sending environment is stable and fully documented. If your record is approaching or over the ten DNS lookup limit, address it with SPF flattening – an over-limit SPF record fails entirely, which is worse than no record for deliverability, and is a misconfiguration that attackers can observe.

Map and monitor your full sender environment

Use DMARC aggregate reports to build a complete inventory of every source sending email claiming to be from your domain. Any source appearing in reports that is not in your authorized sender list is either a misconfigured legitimate service or an unauthorized sender. Both need to be addressed.

New SaaS tools and integrations are onboarded continuously in most organizations. This means the sender environment is not static. An inventory that was accurate three months ago may be outdated today. Treat sender environment mapping as a recurring process, not a one-time exercise.

Enumerate your own subdomain footprint

Use crt.sh and passive DNS tools to build the same picture of your domain footprint that an attacker would. Anything you find that is unmonitored, unauthenticated, or has a dangling DNS record should be addressed immediately. For lookalike and homoglyph domains, domain spoofing protection and brand monitoring tools can surface these before they are used in an active campaign. For your own domains, the hidden security risks of multiple domains and subdomains are worth reviewing as a starting point for a full domain audit.

What Attackers Find When They Run Phishing Reconnaissance on Your Domain

The full phishing reconnaissance process described above – checking authentication posture, mapping the subdomain footprint, analyzing the sender environment, validating targets – takes an experienced attacker less than an hour using free tools. A DMARC checker, an SPF lookup, crt.sh, and a WHOIS query are enough to determine whether your domain is worth targeting.

The organizations that are hardest to target are the ones where that reconnaissance returns nothing useful: a DMARC policy at p=reject with subdomain coverage, a clean SPF record ending in -all, documented DKIM signing across all sending sources, and no abandoned subdomains with open authentication gaps. When an attacker’s reconnaissance finds a domain that has closed these doors, they move on. That is the goal.

• About
• Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

Latest posts by Ahona Rudra (see all)

• How Email Spoofing-as-a-Service Works and How To Stop It - June 24, 2026
• Phishing Reconnaissance: How Attackers Identify and Target Vulnerable Domains - June 24, 2026
• How to Build a High-Performing Cybersecurity Team for Your Business - June 23, 2026