Secure No-Email Domains

Overview

Configure DNS records for domains that do not send email to prevent spam.

MX

There should be no MX records if the domain will not be sending or receiving email. Delete existing MX records if the domain will no longer be used to send or receive email.

SPF

Create Sender Policy Framework (SPF) records for the base domain (@) and all subdomains (*). SPF records identify systems allowed to send email on the domain’s behalf.

For domains that do send email, refer to the email provider’s documentation for creating correct SPF records.

Base Domain

This record states that no systems are allowed to send email for the base domain (@).

@ 3600 IN TXT "v=spf1 -all"

Subdomains

This record states that no systems are allowed to send email for any subdomains (*). Will only work with providers that support wildcard TXT records.

* 3600 IN TXT "v=spf1 -all"

DKIM

Create DomainKeys Identified Mail (DKIM) records for the domain. DKIM records publish a public key to validate a sender is authorized to send email on that domain. For domains that don’t send email, this should be explicitly defined to be empty.

This records states that the value of any DKIM public key (*._domainkey) is empty and does not exist.

*._domainkey 3600 IN TXT "v=DKIM1; p=;"

DMARC

Define a Domain-based Message Authentication, Reporting and Conformance (DMARC) record to define a DMARC policy. DMARC policies define how to verify an email is legitimate using SPF and DKIM, and how to handle an email that fails verification.

The following record states that emails must adhere strictly to both SPF and DKIM, and all emails that fail verification should be rejected.

_dmarc 3600 IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"

References

^{1 2 3 4 5}