Lookalike domains are domains that closely resemble yours — one character swapped, a hyphen added, a different TLD. Attackers register them to send phishing mail that appears to come from your company. Your DMARC record cannot protect you from them. You need to find and monitor them.
A spoofing attack uses your actual domain. A lookalike attack uses a different domain that resembles yours enough to fool recipients. Common techniques include:
yourcmopany.com, yourcompnay.com)y0urcompany.com — zero instead of O)yourcompany-support.com, yourcompany-help.com, yourcompanyinc.com)yourcompany.net when you own yourcompany.com)yourcompany.attacker.com)Attackers who use lookalike domains can set up their own SPF, DKIM, and DMARC records on those domains — so the authentication passes for the lookalike domain even though the mail is fraudulent. Your DMARC record protects your domain, not theirs.
Lookalike domain attacks typically target your customers, partners, or suppliers. Common scenarios:
You cannot catch all lookalike domains after they have been deployed — the goal is early detection, before the attack reaches your customers.
Services like DomainTools, Bolster, or similar threat intelligence platforms continuously scan newly registered domains for similarity to yours and alert you when potential lookalikes appear. Some DMARC reporting services include basic lookalike monitoring.
Tools like dnstwist generate permutations of your domain and check which ones are registered. Running this periodically gives you visibility without ongoing subscription costs.
Establish a clear channel for customers and partners to report suspicious emails. Many lookalike attacks are discovered by recipients who notice something is slightly off.
Depending on your risk tolerance and resources:
If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.