In this article:
Issue findings in the Application Security factor do not impact your Scorecard score for domains that are parked. When you identify a domain as parked, whether you are managing your Digital Footprint or attempting to resolve an issue finding, our Support team inspects the domain for specific criteria to ensure it is properly parked.
Use this article for guidance to make sure your domain is parked according to SecurityScorecard criteria and that you use best practices protect your employees and customers from malicious abuse of parked domains.
What is a parked domain?
A parked domain is one that is not in use. An organization has registered the domain with a service such as GoDaddy or Sedo, but is not pointing the domain to a website or any online content. For anyone visiting the domain, the registrar displays a page with a message indicating that the domain is not in use or a corresponding site cannot be reached.
A legitimate organization may park a domain for various reasons:
- They want to generate revenue by publishing advertising content.
- They want to reserve a domain for future use.
- They want to prevent threat actors from registering the domain.
- The website is still in development.
- The domain name has expired.
Meet SecurityScorecard criteria for a parked domain
Use the following guidelines for ensuring that your parked domain meets SecurityScorecard's criteria:
- If the parked domain resolves to any site other than a parking service such as GoDaddy or Sedo, that site must encrypt visitor traffic with HTTPS. SecurityScorecard does not accept refutes in the HTTPS category if the domain resolves.
The parked domain does not redirect to an active website. If the parked domain redirects to an organization's site, we do not remove the issue findings from the Scorecard.
Valid parked domain: Domain registrar page is served.
Invalid parked domain: Redirection to a the main company site)
If there is a name server configured on the parked domain, it has an SPF record with the
v=spf1 -all flag.
- If there is no name server configured on the parked domain, SecurityScorecard accepts resolution on findings for the SPF Record Missing issue type.
- There are no active subdomains on the parked domain.
- There is no DNS mail exchange (MX) record associated with the domain. A parked domain with an MX record can send email for phishing purposes.
Tip: SecurityScorecard recommends, but does not require, configuring your parked assets to send a HTTP Strict Transport Security (HSTS) header in response to visiting browser requests. This ensures that the site over a secure HTTPS connection.
Tagging Parked Domains
We automatically tag domains that we identify as parked on a nightly basis. So, if you meet the properly parked criteria for a given domain, any issue findings in the Application Security factor will stop impacting your score for that domain within a few days, based on our score update cycle.
Additionally, tagging Parked or Semi Parked domains manually carries an extended impact on domain management. When these system tags are applied to the apex domains, a notable change takes place in the tagging structure—the influence now extends to encompass all subdomains under the tagged apex domain. This is a positive change to streamline the tagging process, ensuring that the organizational or security classifications assigned to the main domain seamlessly cascade to its subdomains.
Note: We do not remove correctly attributed parked domains from the Scorecard Digital Footprint.
Use best practices with parked domains to keep customers secure
Most parked domains are safe and eventually point to legitimate websites; however threat actors can use parked domains with names similar to yours for malicious purposes:
- Redirecting visitors to malicious pages or content; for example, threat actors used parked domains as a distribution channel for Emotet malware in 2020.
- Publishing malicious content, such a phishing page, on the domain
- Sending phishing emails under the guise of a legitimate organization
Threat actors may also park domains long enough to avoid detection by services that scan and monitor newly register domains. After the scanning window expires, the threat actors will use the domain to launch a phishing site.
To protect your employees and customers, automate the monitoring of parked domains with regular frequency. Alert potential victims of fraudulent sites and encourage them to send you emails that they suspect are phishing attempts.
Add malicious domains to your blocklist for the mailers you control. Be aware that this only protects employees and anyone within in your own domain.
Read about best practices for parked domains.