email-security

Protect Domains that do not Send Email

April 18, 2021

If you own a domain name but do not use it for sending email, it is important that you configure this domain correctly so that email servers around the world know not to accept emails from this domain.

This might be the case if you have a parked domain, or multiple domains but only use one for sending emails.

Even if you are not using your domain to send email, spoofers may still attempt to send email impersonating your domain pretending to be from you.

Here are 4 simple things to do in DNS now to help protect your domain:

1. Create an SPF Record

In your DNS Management portal, create a TXT Record with the following value:

v=spf1 -all

This will tell email servers around the world that your domain name should not send any email, giving them an indication that emails from this domain should be considered spam.

Tools: SPF Record Check, SPF Record Generator

How to create an SPF Record:
Create a TXT Record with these values:

  • Host: Either leave blank, or enter @
  • Value: v=spf1 -all
  • TTL: Leave default, or enter 1800

GoDaddy, DnsMadeEasy, NetRegistry

2. Create a DKIM Record

In your DNS Management portal, create a TXT Record with the following value:

v=DKIM1; p=

We can use this to help the receivers of the email think that the email signature isn’t valid because it sees the key as “revoked”. The way we do this is by specifying an empty key. In normal DKIM records, there are additional fields, but they aren’t needed since we are trying to create an intentionally denied record.

Tools: DKIM Record Lookup

How to create a DKIM Record:
Create a TXT Record with these values:

  • Host: *._domainkey.<your domain>
  • Value: v=DKIM1; p=
  • TTL: Leave default, or enter 1800

GoDaddy, DnsMadeEasy, NetRegistry

3. Create a DMARC Record

In your DNS Management portal, create a TXT Record with the following value:

v=DMARC1; p=reject; pct=100;

This will instruct email servers receiving emails from this domain to reject the email.

Tools: DMARC Check Tool

How to create a DMARC Record:
Create a TXT Record with these values:

  • Host: *._domainkey.<your domain>
  • Value: v=DMARC1; p=reject; pct=100;
  • TTL: Leave default, or enter 1800

GoDaddy, DnsMadeEasy, NetRegistry

4. Remove MX Records

In your DNS Management portal, delete and remove any MX Records that are published.

This will show email servers around the world that the domain should not receive any emails also.