I’ve been looking at phishing resistance around UK government domains, especially in the context of HMRC impersonation, and found something I thought this sub might find interesting.
When querying TXT records for undelegated / non-existent gov.uk domains, the namespace appears to return email authentication records anyway.
For example:
dig TXT randomstring.gov.uk
returns:
randomstring.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;rua=mailto:govuk-rua@dmarc.service.gov.uk"
randomstring.gov.uk. 1800 IN TXT "v=spf1 ?all"
If this is intentional, it’s a pretty powerful defensive pattern.
The usual anti-spoofing controls protect domains you own and operate. But attackers often abuse names that do not exist yet, for example:
hmrc-tax-refund.gov.uk
secure-hmrc-payment.gov.uk
randomstring.gov.uk
If those domains are undelegated and return no DNS, there’s normally no SPF or DMARC policy for receivers to evaluate. In this case, gov.uk seems to be closing that gap by making undelegated direct subdomains signal “don’t trust mail from here”.
I haven’t found public documentation from GDS, NCSC, or others describing this as a namespace-level anti-phishing control, so I’m curious whether anyone has seen it documented or knows more about the implementation.
A few observations:
- This seems to apply to direct *.gov.uk names.
- I didn’t see the same behaviour for nhs.uk or gov.scot
The broader point is that most organisations protect the domains they use. This looks like an attempt to protect the surrounding namespace too, which is a much more ambitious phishing defence.
I wrote up the full notes here, including background on HMRC phishing and why this matters:
https://cybaa.io/blog/2026-04-27/gov-uk-namespace-spoofing-protection
I would be interested to hear whether others have seen similar namespace-level SPF/DMARC handling elsewhere or any public information about gov.uk implementing this