Domain OSINT: subdomains and company employee emails (2026)

Investigating a domain is one of the first steps of any security audit or red-team engagement. Learn to enumerate subdomains, discover real employee emails, analyse WHOIS and DNS records and map an organisation's exposure surface, all from open sources.

What does a domain reveal?

A corporate domain is the gateway to an organisation's attack surface. From it you can discover:

• Subdomains (vpn.company.com, mail.company.com, internal panels…).
• Employee emails following the corporate pattern.
• WHOIS and DNS records (registrar, dates, MX, SPF, DMARC).
• TLS certificates and exposed services.
• Technology and providers (cloud, CDN, email).

This process is known as footprinting and is the foundation of the reconnaissance phase.

Step 1: Subdomain enumeration

Subdomains reveal forgotten services, staging environments, admin panels and APIs that expand the attack surface. Passive enumeration (without touching the target's infrastructure) combines sources like Certificate Transparency (crt.sh), subdomain engines and tools like BBOT.

crt.sh                → issued certificates
BBOT (passive)        → hundreds of subdomains without touching the target
DNS / MX / SPF        → email and service infrastructure

Domain Analyzer in OSINT UI

With Domain Analyzer you get a full map of a domain in seconds: validated subdomains, WHOIS, DNS, certificates, reputation and emails, combining dozens of passive sources.

Step 2: Discover the employees' emails

Obtaining real employee emails (first.last@company.com) is one of the most valuable goals: it lets you map the org chart, prepare awareness campaigns or assess phishing risk.

The most effective techniques are:

• Passive enumeration with BBOT and theHarvester, which crawl search engines and public sources.
• Hunter.io, which aggregates corporate emails with name and department.
• Domain-filtered web search ("@company.com"), discarding generic mailboxes (info@, hr@) to keep real people.

Domain Analyzer unifies all these sources into a single deduplicated email list, deriving the employee's name from the first.last@ pattern.

Step 3: WHOIS, DNS and exposure

WHOIS records reveal the registrar, creation and expiry dates and sometimes contact data. DNS records (MX, TXT, SPF, DMARC) show how email is handled and whether the domain is protected against spoofing. TLS certificates and exposed services complete the surface map.

Best practices and legality

Domain OSINT works with public information. Remember:

• Don't run intrusive scans without authorisation.
• Don't access protected panels or services.
• Comply with GDPR and local regulations.
• Use these techniques only in authorised audits and for legitimate purposes.

Conclusion

Investigating a domain with OSINT lets you map subdomains, discover real employee emails and understand a company's exposure surface, all without touching its infrastructure. It's the foundation of reconnaissance in any security audit.

Try Domain Analyzer for free and get the full map of any domain in seconds.