DNS Filtering and Email Security

No. DNS filtering does not block, scan, or filter emails. It cannot read email content, detect spam, quarantine attachments, or prevent malicious messages from arriving in your inbox.

This is one of the most common misconceptions about DNS filtering. Email delivery uses protocols like SMTP, IMAP, and POP3 that operate independently of DNS resolution for content access. When an email arrives at your mail server, DNS filtering has no role in that transaction.

What DNS filtering does do is protect users after they interact with a malicious email. When someone clicks a link in a phishing email, that click triggers a DNS query to resolve the attacker's domain. That's where CleanBrowsing steps in — blocking the resolution so the browser never reaches the malicious site.

Think of it this way: email security is the lock on your front door. DNS filtering is the guard that stops you from walking into a trap after you've already opened a suspicious letter.

To understand why DNS filtering matters for email security, you need to understand how most email attacks actually work. The email itself is just the delivery mechanism — the damage happens when users take action.

The Anatomy of a Phishing Attack

• Delivery: The attacker sends an email that impersonates a trusted brand, colleague, or service. The email passes through (or bypasses) email security filters
• The lure: The email contains a link — "verify your account," "review this invoice," "reset your password" — designed to create urgency
• The click: The user clicks the link. Their browser makes a DNS query to resolve the attacker's domain (e.g., login-micros0ft-verify.com)
• The payload: If the DNS query resolves, the browser loads a fake login page, a malware download, or a credential-harvesting form

Common Email Threat Types

• Credential phishing: Fake login pages that steal usernames and passwords. These are hosted on newly registered or compromised domains
• Malware delivery: Links that download ransomware, trojans, or spyware. The download is hosted on a domain that DNS filtering can block
• Business email compromise (BEC): Impersonation attacks that direct users to fraudulent payment portals or file-sharing links
• Drive-by downloads: Links to compromised websites that automatically exploit browser vulnerabilities

In every case, the attack relies on the user's device resolving a domain name. That DNS query is the point where DNS filtering intervenes.

DNS filtering operates at the domain resolution layer. When a user clicks a malicious link, CleanBrowsing evaluates the DNS query and blocks it if the domain is known to be malicious, newly registered, or in a blocked category.

DNS Filtering Protects Against:

• Known phishing domains: CleanBrowsing maintains threat intelligence feeds that identify domains used in active phishing campaigns. When a user clicks a phishing link, the DNS query is blocked before the fake page loads
• Newly registered domains: Most phishing domains are registered within hours of an attack. DNS filtering can flag or block domains that are less than 30 days old — a strong signal of malicious intent
• Malware command-and-control (C2): If a device is already infected, the malware needs to communicate with its C2 server via DNS. Blocking those domains contains the infection
• Typosquatting domains: Domains that mimic legitimate brands (e.g., paypa1.com, amaz0n-support.com) are commonly used in phishing emails and blocked by DNS filtering
• Compromised legitimate domains: When attackers inject phishing pages into hacked websites, those domains often get flagged in threat feeds

DNS Filtering Does NOT Protect Against:

• Email content: Spam, scam text, social engineering language — DNS filtering cannot read email body content
• Attachments: Malicious PDFs, Office documents with macros, ZIP files — these are not DNS queries
• Reply-based attacks: BEC attacks that ask users to wire money or share credentials via email reply don't involve clicking a link
• Legitimate domain abuse: If an attacker hosts a phishing page on a subdomain of a legitimate service (e.g., a Google Forms credential harvester), DNS filtering may not block it because the parent domain is trusted

DNS filtering and email filtering operate at completely different layers of the network stack. They're complementary, not competitive.

The key insight: email filtering catches threats before delivery. DNS filtering catches threats after the click. No email filter catches 100% of phishing emails — which is exactly why the DNS layer matters.

Email security tools are good — but they're not perfect. Industry data consistently shows that 1-3% of phishing emails bypass even the best email filters. For an organization receiving thousands of emails per day, that's dozens of malicious messages reaching inboxes every week.

The Layered Defense Model

• Layer 1 — Email filtering: Catches the majority of spam, phishing, and malware before it reaches users. This is your primary defense
• Layer 2 — User training: Security awareness training teaches users to recognize phishing. But humans make mistakes, especially under pressure or fatigue
• Layer 3 — DNS filtering: When a phishing email bypasses the filter AND the user clicks the link, DNS filtering blocks the malicious domain. This is your safety net
• Layer 4 — Endpoint protection: If the malicious site somehow loads, endpoint security (antivirus, EDR) provides the final layer

Real-World Scenario

A school district using CleanBrowsing for education receives a phishing email impersonating Google Classroom. The email passes through Microsoft 365's built-in filters because the sending domain is a compromised legitimate address. A teacher clicks the "review student submission" link.

Without DNS filtering: the browser loads a fake Google login page, the teacher enters their credentials, and the attacker gains access to the school's Google Workspace.

With CleanBrowsing: the DNS query for the phishing domain is blocked. The teacher sees a block page instead of a fake login form. The attack fails at the DNS layer, and the DNS logs alert the IT team to investigate the phishing campaign.

DNS Filtering Covers More Than Email

Unlike email filtering (which only protects the email channel), DNS filtering protects against threats from every source — malicious ads, compromised websites, messaging app links, QR codes, social media posts, and SMS phishing (smishing). If it involves resolving a domain, CleanBrowsing can block it.

Can CleanBrowsing block spam emails?

No. CleanBrowsing is a DNS filtering service — it does not process, inspect, or filter email messages. To block spam, you need an email security solution like Microsoft Defender for Office 365, Google Workspace protections, Proofpoint, or SpamTitan.

If I already have email filtering, do I still need DNS filtering?

Yes. No email filter catches 100% of phishing emails. DNS filtering acts as a safety net for the messages that slip through. It also protects against threats that don't come via email — malicious websites, compromised ads, messaging app links, and more.

Does DNS filtering protect against phishing?

DNS filtering protects against the payload of phishing attacks — the malicious domains that phishing links point to. It blocks the DNS resolution of known phishing domains, newly registered domains, and typosquatting domains. It does not prevent the phishing email from arriving in the inbox.

Can DNS filtering block malware from email attachments?

Not directly. DNS filtering doesn't scan email attachments. However, if a malicious attachment (like a PDF or Office document) contains a link that the user clicks, or if it downloads additional malware from a remote server, DNS filtering blocks those outbound DNS queries.

How does CleanBrowsing identify phishing domains?

CleanBrowsing uses multiple threat intelligence feeds, domain reputation scoring, and newly registered domain detection to identify malicious domains. When a domain is flagged, DNS queries to that domain are blocked across all CleanBrowsing users and filter profiles.

What about MX records and DNS?

MX records are DNS records that direct email delivery to the correct mail server. While MX records use DNS, CleanBrowsing's filtering applies to user-initiated DNS queries (browsing, app connections), not to mail server routing. Your email delivery is not affected by CleanBrowsing.

Does DNS filtering work on mobile devices?

Yes. CleanBrowsing can be deployed on mobile devices using DNS over HTTPS (DoH) or DNS over TLS (DoT) profiles. This means phishing link protection works even when users are off-network — at home, on cellular data, or on public WiFi.

Is DNS filtering enough to be CIPA compliant?

DNS filtering is a core component of CIPA compliance, but compliance also requires an internet safety policy, monitoring, and user education. DNS filtering satisfies the technology protection measure requirement. See our full CIPA compliance guide for details.