Secure No-Email Domains

Last Edit: 2024.01.21


Configure DNS records for domains that do not send email to prevent spam.


There should be no MX records if the domain will not be sending or receiving email. Delete existing MX records if the domain will no longer be used to send or receive email.


Create Sender Policy Framework (SPF) records for the base domain (@) and all subdomains (*). SPF records identify systems allowed to send email on the domain’s behalf.

For domains that do send email, refer to the email provider’s documentation for creating correct SPF records.

Base Domain

This record states that no systems are allowed to send email for the base domain (@).

TXT@v=spf1 -all3600
@ 3600 IN TXT "v=spf1 -all"


This record states that no systems are allowed to send email for any subdomains (*). Will only work with providers that support wildcard TXT records.

TXT*v=spf1 -all3600
* 3600 IN TXT "v=spf1 -all"


Create DomainKeys Identified Mail (DKIM) records for the domain. DKIM records publish a public key to validate a sender is authorized to send email on that domain. For domains that don’t send email, this should be explicitly defined to be empty.

This records states that the value of any DKIM public key (*._domainkey) is empty and does not exist.

TXT*._domainkeyv=DKIM1; p=;3600
*._domainkey 3600 IN TXT "v=DKIM1; p=;"


Define a Domain-based Message Authentication, Reporting and Conformance (DMARC) record to define a DMARC policy. DMARC policies define how to verify an email is legitimate using SPF and DKIM, and how to handle an email that fails verification.

The following record states that emails must adhere strictly to both SPF and DKIM, and all emails that fail verification should be rejected.

TXT_dmarcv=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;3600
_dmarc 3600 IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"


1 2 3 4 5

  1. Cloudflare. “How to protect domains that do not send email.” 2024. ↩︎

  2. Central Digital and Data Office. “Protect domains that do not send email.” 2021. ↩︎

  3. Wikipedia. “DomainKeys Identified Mail.” 2024. ↩︎

  4. Wikipedia. “DMARC.” 2024. ↩︎

  5. Wikipedia. “Sender Policy Framework.” 2023. ↩︎