You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I've got to be honest, I'm not even sure how to summarise this issue to search for answers on Google, so STW is obviously the best place to turn!
I have a small website with attached email account, for my work. Periodically, I'll start receiving emails purporting to be from "support@[my domain name]" or "webmaster@[my domain name]". My usual thought would be it's just normal spam.
But invariably, when I go to check the DNS Zone records for my domain, there will be a number of new (not created by me) spammy DNS Zones, called things like "_b7d2ec334848ea1e2b6fd919443c611a.mail.[my domain name]" and "_a11681f1b1a826324bdc6f7c38d21791.mail.[my domain name]".
All other DNS records look fine - MX, SPF, DKIM etc look untouched; it's just that there's (this time) 12 of these new CNAME records featuring "mail". And when I delete all those spammy records, the spam emails claiming to be from my domain stop appearing.
I don't actually know a huge amount about website management (I've managed not to completely bork things), but wtf is going on here?
Who is your hosting provider (and are they your DNS registrar/hosting provider to)? The sub-zone is either something they're doing for some functional reasons (although I can't think what) or it's compromised (are you able to manage your domain directly via a web portal or do you have to request your provider do it?)
In AWS you end up creating domain entries exactly like that when creating a TLS certificate to validate that you are the owner of the domain.
https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
So if you have a cert for your mail.[mydomainname] domain, that might be the reason if it's hosted by AWS.
What type of record are they? Txt, cname, MX?
tbh whatever I’d be asking whoever your registrar and dns host is not us lot on here, we can speculate (with some skill as there is lots here) but only the host will have the real answer.
I can't see how anyone other than you or your host could be adding DNS records, but if it is a spammer somehow forging CNAME records it might be an attempt to claim ownership of the domain. See https://developers.google.com/search/blog/2012/08/domain-verification-using-cname-records
What do the headers on the spam emails say? Are they showing 'pass' for SPF, DMARC etc, and if so, are they from a source that should be marked as a pass?