Punycode
Learn what Punycode is, how it converts internationalized domain names, and how DMARCeye detects spoofed or lookalike domains using encoded scripts.
What is Punycode?
Punycode is an encoding system that converts Unicode domain names containing non-ASCII characters into a standardized ASCII format that can be used by the Domain Name System (DNS). It enables internationalized domain names (IDNs) by representing characters from languages like Arabic, Chinese, or Cyrillic in a form compatible with traditional DNS infrastructure.
Because the DNS can only interpret letters (A–Z), digits (0–9), and hyphens, Punycode provides a translation layer that converts complex scripts into a readable ASCII representation starting with xn--. This allows global users to register and access domains in their native languages while maintaining technical compatibility.
How Punycode Works
Example conversion:
bücher.de → xn--bcher-kva.deThe browser converts “bücher.de” into its Punycode equivalent before sending a DNS query. When the server responds, the browser displays the Unicode version to the user.
Punycode and Security Risks
While Punycode enables language inclusivity, it also introduces security concerns such as homograph attacks. Threat actors can register visually similar domains using different character sets to impersonate trusted brands — for example, substituting Cyrillic “а” for Latin “a” to spoof “apple.com.”
To mitigate these risks, browsers and security systems often restrict or flag mixed-script domain names. Email authentication protocols like SPF, DKIM, and DMARC also help detect and prevent spoofing that exploits Punycode similarities.
Punycode and DMARCeye
DMARCeye used AI-based technology to decode and normalize Punycode domains within authentication reports to ensure accurate visibility across internationalized and multilingual domains. By identifying lookalike or maliciously registered variants, DMARCeye helps organizations protect their global brand presence and prevent domain impersonation.
This capability ensures that even IDNs are covered under full DMARC protection, maintaining consistency across languages and character sets. In turn, this help you understand who is using your email domain to send what to whom, and act fast in case of suspected abuse.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.