May 2, 2026  ·  8 min read  ·  PhishingBrand ProtectionDMARC

How to Detect a Phishing Kit Using Your Domain (Before It Costs You Customers)

Someone could be phishing your customers right now using your own domain name — and your legitimate email infrastructure is helping them. Here's how to find out and shut it down.

Here's how phishing works in 2026: an attacker sets up a convincing login page that looks exactly like your app. They buy a domain that looks almost like yours — yourcompany-support.com or yourco-auth.net. They email your customers from an address that appears to be yours. Your customers see your domain in the sender field and trust it completely.

Now imagine the same attack, but the attacker is using your exact domain — not a lookalike. The email comes from [email protected] and the phishing page is at yourcompany.com-support.top. This is brand impersonation via your own infrastructure, and it happens when email authentication is missing or misconfigured.

How Attackers Use Your Domain Without Breaking In

Most businesses don't realize that without proper email authentication (SPF, DKIM, DMARC), anyone can send email that appears to come from your domain. The receiving mail server has no way to verify that the email actually came from you.

What attackers do: they look up your domain, see you're missing DMARC (or have a weak policy), and start sending emails from servers you don't own but that claim to be you. These emails land in inboxes with your domain as the sender — because the receiving servers can't tell the difference.

The DMARC gap: If your domain doesn't have a DMARC record, attackers can send phishing emails that appear to come from your domain to your own customers. Your legitimate email infrastructure doesn't block it. Your customers have no reason to suspect it. And if your support team is CC'd on those phishing threads, you'll never know until a customer flags it.

How to Check If Your Domain Is Being Used for Phishing

1. Check your DMARC, SPF, and DKIM records

Go to your DNS provider and check for these records:

If DMARC shows v=DMARC1; p=none, your domain is being spoofed right now and you have no protection.

2. Search for phishing pages using your brand name

Search Google for: site:yourdomain.com phishing (this won't find everything but can surface known phishing sites using your brand). Also search for your domain in phishing databases like PhishTank and OpenPhish — free to search, updated daily.

3. Monitor Certificate Transparency logs

Attackers often use SSL certificates on phishing sites to appear more legitimate. Search crt.sh for your domain name and any similar variants — look for certificates issued to domains that look like yours (yourco-login.com, yourco-auth.net, etc.). You'll find phishing infrastructure before it's used against your customers if you check regularly.

4. Check for lookalike domains registered recently

Domain registrars won't give you a full list, but you can check newly registered domains that contain your brand name using services like DomainTools or similar OSINT tools. If a domain that looks like yours was registered in the last 30 days and is resolving to a server in a suspicious country, that's a threat to investigate.

What to Do When You Find a Phishing Kit Using Your Brand

  1. Document everything: Screenshot the phishing page, capture the full URL, note the sending domain and email addresses used, record the target audience if known
  2. Report to the registrar: File an abuse report with the domain registrar for the phishing domain — most registrars have an abuse contact and take brand impersonation seriously
  3. Report to Google Safe Browsing: Submit the phishing URL at safeweb.norton.com or Google's Safe Browsing reporting page — they'll add it to blocklists that protect other users
  4. Report to the hosting provider: If the phishing site is hosted on a known provider (Cloudflare, AWS, DigitalOcean), file an abuse report — Cloudflare especially has a strong anti-phishing policy and often takes down phishing sites within hours
  5. Report to email providers: Forward the phishing email (with full headers) to [email protected] or the anti-phishing team at the major email providers (Microsoft, Google, Yahoo)
  6. Inform your customers: If customers were targeted, send a clear, direct email alerting them — include the actual signs of the real vs fake communication

How to Prevent Your Domain From Being Used in Future Phishing

The only real solution is properly configured email authentication:

What to Do Right Now

  1. Check your DMARC record at _dmarc.yourdomain.com — if it doesn't exist or says p=none, that's your highest-priority fix
  2. Set up DMARC monitoring (p=quarantine) for 30 days before switching to p=reject
  3. Search crt.sh for your domain and look for suspicious lookalike domains in the results
  4. Submit any phishing infrastructure you find to the relevant abuse teams

Brand impersonation phishing doesn't require the attacker to compromise your systems — they just need your domain to not be protected. That gap is fixable, and the fix is free. The cost of not fixing it is your customers' trust.

Brand impersonation phishing uses your own domain to betray your customers' trust.

Check If Your Domain Is Being Spoofed →